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The goal of randomness extraction is to distill (almost) perfect randomness from a weak source 
of randomness. When the source yields a classical string X, many extractor constructions are 
known. Yet, when considering a physical randomness source, X is itself ultimately the result of 
a measurement on an underlying quantum system. When characterizing the power of a source to 
supply randomness it is hence a natural question to ask, how much classical randomness we can 
extract from a quantum system. To tackle this question we here take on the study of quantum-to- 
classical randomness extractors (QC-extractors). 

• We provide constructions of QC-extractors based on measurements in a full set of mutually unbiased bases (MUBs), and 
certain single qubit measurements. The latter are particularly appealing since they are not only easy to implement, but 
appear throughout quantum cryptography. We proceed to prove an upper bound on the maximum amount of randomness 
that we could hope to extract from any quantum state. Some of our QC-extractors almost match this bound. We show 
two applications of our results. 

• First, we show that any QC-extractor gives rise to entropic uncertainty relations with respect to quantum side information. 
Such relations were previously only known for two measurements. In particular, we obtain strong relations in terms of 
the von Neumann (Shannon) entropy as well as the min-entropy for measurements in (almost) unitary 2-designs, a full 
set of MUBs, and single qubit measurements in three MUBs each. 

• Second, we finally resolve the central open question in the noisy-storage model [Wehner et al., PRL 100, 220502 (2008)] 
by linking security to the quantum capacity of the adversary's storage device. More precisely, we show that any two 
party cryptographic primitive can be implemented securely as long as the adversary's storage device has sufficiently low 
quantum capacity. Our protocol does not need any quantum storage to implement, and is technologically feasible using 
present-day technology. 
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I. INTRODUCTION 

Randomness is an essential resource for information theory, cryptography, and computation. However, most sources 
of randomness exhibit only weak forms of unpredictability. The goal of randomness extraction is to convert such weak 
randomness into (almost) uniform random bits. Classically, a weakly random source simply outputs a string X where 
the 'amount' of randomness is measured in terms of the probability of guessing the value of X ahead of time. That 
is, it is measured in terms of the min-entropy H min (X) = — log P gucss (X). To convert X to perfect randomness, one 
applies a function Ext that takes X, together with a shorter string R of perfect randomness (the seed) to an output 
string K = Ext (A, R). The use of a seed is thereby necessary to ensure that the extractor works for all sources X 
about which we know only the min-entropy, but no additional details of the source [88]. Much work has been invested 
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into showing that particular classes of functions have the property that K is indeed very close to uniform as long as 
the min-entropy of the source H mul (X) is large enough. 

Yet, for most applications this is not quite enough, and we want an even stronger statement. In particular, imagine 
that we hold some side information E about X that increases our guessing probability to P gU ess(A^|-E). For example, 
such side information could come from an earlier application of an extractor to the same source. Intuitively, one 
would not talk about randomness if e.g., the output is uniformly distributed, but identical to an earlier output. In a 
cryptographic setting, side information can also be gathered by an adversary during the course of the protocol. We thus 
ask that the output is perfectly random even with respect to such side information, i.e., uniform and uncorrelated from 
E. Classically, it is known that extractors are indeed robust against classical side information [ST], yielding a uniform 
output K, whenever the min-entropy about X given access to side information E (H m - m (X\E) — — log P gucss (X\E)) 
is sufficiently high (see [7S1IHH] for surveys). Especially with respect to cryptographic applications, we thereby again 
want extractors that work for any source X of sufficiently high entropy H m i n (X\E) without any additional assumptions 
about the source. 

Recently, it has been recognized that since the underlying world is not classical, E may in fact hold quantum side 
information about X [551 175| . That this adds substantial difficulty to the problem was emphasized in [37] where it was 
shown that there are in fact situations where using the same extractor gives a uniform output K if E is classical, but 
is entirely predictable when E is quantum. Positive results were obtained in |57l 1741 1751 186] , eventually culminating 
in [301182]. proving that a wide class of classical extractors (with relatively short seed) yield a uniform output, as long 
as H m - m (X\E) is sufficiently large. 

Yet, in a fully quantum world we might ask ourselves: where does X itself come from? How can we hope to harness 
even weak sources to obtain surplus of classical randomness? Indeed, for any physical source hoping to create fresh 
randomness, X is the result of a measurement on a quantum system A. That is, we can view the source as consisting 
of in fact two processes: First, a quantum source emits a state pa- Second, a measurement takes places yielding 
the classical string X. Note that quantum mechanics does allow many different measurements on pa, and hence the 
question arises whether all such measurements are equally powerful at yielding a weakly random classical string X, 
or whether some are more useful to us than others. As such, it becomes clear that when trying to study our ability 
to extract randomness from any physical source, it is natural to ask how much randomness we can obtain from pA 
itself, rather than a particular classical string X. 

The problem of extracting randomness from X alone is further complicated by the fact that it is typically very hard 
to bound H m i n (X\E), when X is the result of quantum measurements on A, even if we know stringent bounds on the 
quantum correlations between A and E to begin with. When E is trivial, entropic uncertainty relations [93] yield such 
bounds when we are willing to average over a few randomly chosen measurements. A crude bound on H m i a (X\E) 
can then be obtained by assuming that the size of E is limited. But even classically, it is easy to see that there 
exist scenarios where bounding the adversaries' knowledge simply by his memory size yields very weak bounds [58j . 
Another approach to bounding H m i n (X\E), common in e.g., Quantum Key Distribution (QKD), is possible in the 
case when randomness is extracted from a state pabe where measurements are made on both A and B to obtain an 
estimate of H m i n (X\E) where X is obtained from A alone 2, 20j EH |41] [69l ES] ■ Part of the state is thereby consumed 
during the estimation process, which itself requires randomness. It is nevertheless possible to have an overall gain 
in randomness. For example, it is known that if measurements 2 between systems A and B lead to a so-called Bell 
inequality violation, then E knows little about X [2] EQl EU |36j [69J [70] [89] . This is exactly the setting of the recent 
proofs [SHI EH US] of [3TJ [2S] where such violations were used to certify the creation of random bits using quantum 
measurements as a black box. Clearly, making such an estimate is only possible in a special setting where the states 
have a particular form pab e , and we are given access to B and A. 

A. Quantum to classical extractors 

This leads us to study quantum-to-classical randomness extractors (QC-extractors). Our goal is to answer the 
following question: how can we extract classical randomness from a physical source pae by performing measurements 
on the quantum state p a 1 - In analogy to classical extractors, we thereby want to obtain randomness from the source 
given only a minimal guarantee about its randomness - i.e. like min-entropy H m - m (X\E) for classical sources. It is 
important to note that unlike the classical world, quantum mechanics does allow for the creation of true randomness 
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if we are given full control of the source and can prepare any state pa at will. 3 However, we want our extractors to 
work for any unknown source as long as it has sufficiently high entropy. 

As opposed to classical-to-classical extractors (CC-extractors) given by functions Ext(-,i?) mapping the outcome 
of the randomness source to a string K, a QC-extractor is described by projective measurements whose outcomes 
correspond to a classical string K. That is, a QC-extractor is a set of measurements {M\^ K , . . . , Ma_> k } , where the 



random seed R determines the measurement A4a-^k that we will perform (see Section III for a detailed explanation 
and a formal definition). 4 

When talking about quantum states Pae, what is the relevant measure of how weak or strong a source is? To gain 
some intuition on what the relevant measure should be, consider the case where pae is the maximally entangled state 
between A and E. Intuitively, this is the strongest quantum correlation that can exist between two systems. It is 
not hard to see that if we measure A in any basis to obtain some outcome X, and later communicate the choice of 
basis to an adversary holding E, then the adversary can guess X perfectly. Intuitively, we would thus expect that the 
relevant measure of how weak a quantum source is with respect to E involves a measure of the amount of entanglement 
between A and E. It turns out that the conditional min-entropy H min (A\E) is exactly such a measure [56] . and we 
find that it is indeed the quantity that determines how many classical random bits we can hope to extract from A. 
That this is rather analogous to the classical case is very appealing. However, unlike for classical A, H m \ n (A\E) can 
be negative if A is quantum (see below). 

Note that in a quantum setting, we could also consider a quantum-to-quantum extractor (QQ-extractor). That 
is, an extractor in which we do not measure but merely ask that the resulting state is quantumly fully random 
(i.e., maximally mixed) and uncorrclatcd from E. Clearly, any QQ-extractor also forms a QC-extractor since any 
subsequent measurement on the maximally mixed state has a uniform distribution over outcomes. As such a QQ- 
extractor is stronger than a QC-extractor since we only require the output state to be close to uniform after performing 
a measurement. 5 Constructions for such extractors are indeed well known in quantum information theory as a 
consequence of a notion known as 'decoupling', which plays a central role in quantum information theory (see [Tl 1321 
133] 143] 146] [47] and references therein). In general, a map that transforms a state pae into a state that is close to 
a product state a a <8> Pe is a decoupling map. Decoupling processes thereby typically take the form of choosing a 
random unitary from a set {U\, . . . , Ul} to A — A\A 2 and tracing out (i.e., ignoring) the system A 2 . For certain 
classes of unitaries such as (almost) unitary 2-designs [32j [44] [SO] [ST] (see below) the resulting state pa x e is close to 
maximally mixed on A\ and uncorrelated from E, whenever H m - m (A\E) is sufficiently large. Measurements consisting 
of applying such a unitary, followed by a measurement on A\ thus also yield QC-extractors. 6 Another example of 
QQ-extractors are given by protocols that aim to distill entanglement between A and B from a state Pabe by means 
of arbitrary communication between A and B. The resulting output state is uncorrelated from E and maximally 
mixed on (part of) A. The state has the additional requirement that when measuring on (part of) A and B, the 
resulting output bits are perfectly correlated (i.e., they form a shared key). States pab for which such a distillation 
is possible are also called private bits [3T] US] . Note that given any QQ-extractor one could always purify the output 
onto an additional system, say, B. Being mixed on A then corresponds naturally to being maximally entangled across 
A and B underlining the close relation between randomness extraction, and entanglement distillation [5] HE]- Note, 
however, that we do not want to assume special cases where we have access to other systems B in order to perform 
such a distillation. 

The authors of [9] also proposed a definition of quantum extractors that is indeed somewhat similar to a QQ- 
extractor, however without any side information E. Our definitions (see Section III) impose two important require- 
ments not present in [HI Definition 5.1]. Firstly, we require the output of the extractor to be unpredictable for any, 
possibly quantum, adversary with access to side information E provided H m i n (A\E) is large enough. Secondly, we 
consider strong extractors so that even given the seed R, the output of the extractor cannot be predicted. This allows 
us to employ our extractor for cryptographic purposes. It also means that the output K together with R are jointly 
close to uniform, meaning that we have effectively created more almost perfect randomness than we invested in the 



3 For example, we could prepare the state |+) = (|0) + |l})/\/2 and measure it in the computational basis, yielding a truly random coin. 
Yet, this would correspond to controlling and knowing details of the source. 

4 For quantum information theorists, note that one can of course use measurements to prepare states by measuring successively - however, 
recall that we are interested in how much randomness we can obtain from an unknown source using a single measurement. The latter 
is furthermore motivated by experimental situations where successive measurements are typically very hard to implement. 

5 In quantum mechanics, it is possible to obtain a uniform distribution over outcomes even if the state was not maximally mixed. E.g., 
consider measuring the pure state |0}(0| in the Fourier basis. 

6 For decoupling experts, note that the measurement map in a QC-extractor can be understood as a decoupling map. We would like to 
emphasize though that our QC-extractor results do not follow from previous work on decoupling, and our measurements have many 
nice properties not shared by unitaries used previously for decoupling. 
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seed. 

QC-extractors. 

— We give two novel constructions of QC-extractors. 7 The first one involves a full set of mutually unbiased 



bases (MUBs) and pair- wise independent permutations (Theorem IIL8I. This construction is more ap- 
pealing than unitary 2-designs because it is combinatorially much simpler to describe and computationally 
more efficient, while having the same output size. 



Our second construction (Theorem III. 9 1 is composed of unitaries acting on single qudits followed by some 
measurements in the computational basis. We also refer to these as bitwise QC-extractors. An appealing 
feature of the measurements defined by these unitaries is that they can be implemented with current 
technology. In addition to computational efficiency, the fact that the unitaries act on a single qubit is often 
a desirable property for the design of cryptographic protocols in which the creation of randomness is not 
the only requirement for security. Our example application below (see also Section Ivj) illustrates this. 



— Finally, we also prove in Proposition III. 6 that the maximum amount of randomness one can hope to 
extract is roughly n + H min (A\E), where n denotes the input size. This upper bound can indeed be almost 
achieved by means of, e.g., our full set of MUBs QC-extractor. We also establish basic upper and lower 
bounds on the seed size for QC-extractors (see Table [TTJ) . 

The technique we use to prove that our constructions are QC-extractors is to bound the distance between the 
output of the extractor and the desired output in Hilbert-Schmidt norm (using ideas from [TUl [3"2l ISSI HSUTfllSClllSlj ). 
For the full set of MUBs, this distance can even be computed exactly. We use the fact that the set of all the MUB 
vectors forms a complex projective 2-design and that the set of permutations is pair-wise independent. For our second 
construction, the analysis uses similar ideas in a more involved calculation. Our upper bound on the amount of 
extractable randomness follows from simple monotonicity properties of the min-entropy. The upper bound on the 
seed size follows from a non-explicit construction involving measure concentration techniques. 



B. Application to entropic uncertainty relations 

One of the fundamental ideas in quantum mechanics is the uncertainty principle. The security of essentially all 
quantum cryptographic protocols is founded on its existence. Intuitively, it states that even with complete knowledge 
about the quantum state pa of a system A, it is impossible to predict the outcomes of all possible measurements on 
A with certainty. In an information theoretic context it is very natural to quantify this lack of knowledge in terms of 
entropic uncertainty relations (see [93) for a survey) . Apart from their deep significance in the foundations of quantum 
mechanics, entropic uncertainty relations are crucial tools in quantum information theory and quantum cryptography. 
The most well-known relation is for two measurements A4\^, K , M.\^ K and reads 

lf>(/,) pJ >logi, (1) 

where H(K) p j denotes the Shannon entropy of the post-measurement probability distributions p J K = M 3 a ^ k {pa)i 
and c measures the overlap between the measurements. Note that for any quantum state pa and measurements for 
which c 7^ 1, at least one of the entropies has to be greater than zero. In other words, it is impossible to predict the 
outcomes of both measurements with certainty. Uncertainty relations are thereby called strong, if log(l/c) is large. 

Just as extractors can depend on side information E, it is important to realize that also uncertainty should in fact 
not be treated as an absolute, but with respect to the prior knowledge of an observer who has access to a quantum 
system E |94j . As an illustration, recall the example from above where pae is the maximally entangled state. In 
this case, for any measurement on A, there is a corresponding measurement on E that reproduces the measurement 
outcomes. I.e., there is no uncertainty at all! In order to take into account possibly quantum information about A, one 
needs to prove new entropic uncertainty relations that would have an additional term quantifying the quantum side 
information. Unfortunately, up to this day, we only know such relations for two measurements [l2l fl9l [22ti24l 1731 [85] . 
Intuitively, uncertainty relations for two measurements are much easier to prove than relations for more measurements 



7 That is, not following from results on QQ-extractors (i.e., from general decoupling theorems in quantum information theory). 
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as in this case uncertainty coincides with another foundational notion in quantum information, complementarity. This 
notion is relevant when we perform two measurements in succession and was an essential ingredient in the proofs. 
However, it does not carry over to three or more measurements. Here, we prove the following results. 

Uncertainty relations with quantum side information for more than two measurements. We show 
that any set of measurements forming a QC-extractor yields an entropic uncertainty relation with respect to 
quantum side information. We thereby obtain relations both for the usual von Neumann (Shannon) entropy, as 
well as the min-entropy. The latter is relevant for cryptographic applications. This yields the first uncertainty 
relations with quantum side information for more than two measurements. From our QC-extractors, we obtain 
strong uncertainty relations for (almost) unitary 2-designs, measurements in a full set of mutually unbiased 
bases (MUBs) on the whole space, as well as on many single qudits. The latter are the measurements used 
e.g., in the six-state protocol of QKD, and are particularly relevant for applications in quantum cryptography 
(see Table [I] for a summary of results for the min-entropy). 

Note that uncertainty relations in terms of the min-entropy effectively help us to bound H m - m (X\ER), where R is 
the seed for the QC-extractor (see Section [Tv| for details). For example, for the full set of MUBs we prove that 

H min (X\ER) > log \A\ + H min (A\E) , (2) 

where the output of the measurements is called X. Since H m i D (A\E) is negative when A and E are entangled, one 
obtains less uncertainty in this case (as expected when considering the example of a maximally entangled state given 
above). Of course, given such a bound, we could in turn apply a CC-extractor to the weakly random string X to 
obtain a uniform K. This underscores the beautiful relation between the concept of randomness extraction from 
a quantum state, and the notion of uncertainty relations with side information in quantum physics. From a QC- 
extractor, we obtain uncertainty relations. In turn, from any measurements inducing strong uncertainty relations plus 
a CC-extractor, we obtain a QC-extractor. 8 

C. Application to cryptography 

Our second application is to proving security in the noisy-storage model. Unfortunately, it turns out that even 
quantum communication does not enable us to solve two-party cryptographic problems between two parties that 
do not trust each other [BO]. Such problems include e.g., the well-known primitives bit commitment and oblivious 
transfer |16L 1181 1281 1611 165] . of which merely very weak variants are possible. How can this be when quantum 
communication offers such great advantages when it comes to distributing encryption keys? Intuitively, the security 
proof of QKD is considerably simplified by the fact that Alice and Bob do trust each other, and can collaborate to 
check for any eavesdropping activity. For example, as mentioned above, when Alice and Bob share a state pabe, 
where the eavesdropper holds E, they can use up part of the state to obtain an estimate of H m i D (X\E), where X is 
a measurement outcome of the remaining part of Alice's system. 

Yet, since two-party cryptographic protocols are a central part of modern cryptography, one is willing to make 
assumptions on how powerful the adversary can be in order to obtain security. Classically, these assumptions typically 
consist of two parts. First, one assumes that a particular problem requires a lot of computational resources to solve 
in some precise complexity theoretic sense. Second, one assumes that the adversary does indeed have insufficient 
computational resources. However, we might instead ask whether there are other, more physical assumptions that 
enable us to solve such tasks? 

Classically, it is possible to obtain security, when we are willing to assume that the adversary's classical memory 
is limited in size [T7J[B1]. Yet, apart from the fact that classical storage is by now cheap and plentiful, the beautiful 
idea of assuming a limited classical storage has one rather crucial caveat: any classical protocol in which the honest 
players need to store n classical bits to execute the protocol can be broken by an adversary who is able to store 
more than 0{n 2 ) bits [34]. Motivated by this unsatisfactory gap, it was thus suggested to assume that the attacker's 
quantum storage was bounded [25JHBJ, or, more generally, noisy [S5J [751 HI] • The central assumption of the so-called 
noisy-storage model is that during waiting times At introduced in the protocol, the adversary can only keep quantum 
information in his quantum storage device J 7 . Otherwise, the attacker may be all powerful. In particular, he can store 
an unlimited amount of classical information, and perform computations 'instantaneously'. The latter implies that 
the attacker could encode his quantum information into an arbitrarily complicated error correcting code to protect 



Note that measurements plus a classical post-processing effectively forms a new, larger, set of measurements. 
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it from any noise in F (see Section [V] for details). Of particular interest are thereby quantum memories consisting 
of N 'memory cells', each of which undergoes some noise described by a channel Af. That is, the memory device is 
of the form fF = Af <g ' N . Note that the bounded storage model is a special case, where each memory cell is just one 
qubit, and Af is the identity channel. To relate the number of transmitted qubits n to the size of the storage device 
one typically chooses the storage rate v such that N = v ■ n. We follow this convention here to ease comparison with 
earlier work. 

Since its inception [ST], it was clear that security in the noisy-storage model should be related to the question 
of how much information the adversary can send through his noisy storage device. That is, the capacity of J- to 
transmit quantum information. Initial progress was made in [58 where security was linked to the storage device's 
ability to transmit classical information and shown against fully general attacks. 9 Further progress was made only 
very recently, linking the security to the so-called entanglement cost of the storage device [TTj , which lies between its 
classical and quantum capacities. 

Security and the quantum capacity. Here, we finally resolve the question of linking security in the noisy- 
storage model to the quantum capacity of the storage device. More precisely, we show that any two-party 
cryptographic primitive can be implemented securely under the assumption that the adversary is restricted to 
using a quantum storage device of the form J- = J\f®V' n by means of a protocol transmitting n qubits whenever 

v ■ Q{Af) < 1 , and 2 - log(3) < v ■ i Q {N, l/v) , (3) 

where Q(Af) is the quantum capacity of the channel Af and ^(Af, l/v) is the so-called strong converse parameter 
of Af for sending information through T at rate R = l/v. Note that the second condition actually does favor 
small v, since ^(Af, l/v) is large whenever the rate R — l/v is large. A similar statement can be obtained for 
general channels fF (see Section [V] for details and a worked out example). 

We prove our result by showing the security of a simple quantum protocol for the cryptographic primitive weak 
string erasure |58j . which is known to be universal for two-party secure computation |58j . To this end, we employ 
the bitwise QC-extractor for measurements of single qubits, each in one of three MUBs, known from the six-state 
protocol in QKD. 

II. PRELIMINARIES 
A. Basic concepts 

We briefly recount some important facts of quantum information, and establish notational conventions. A more 
gentle introduction can be found in e.g. |58j or |66j . 

1. Quantum states 

In quantum mechanics, a system such as Alice's or Bob's labs are described mathematically by Hilbert spaces, 
denoted by A, B,C, . . .. Here, we follow the usual convention in quanutm cryptography and assume that all Hilbert 
spaces are finite-dimensional. We write \A\ for the dimension of A. The set of linear operators on A is denoted by 
C(A). A quantum state pa is an operator pa G S(A), where S(A) — {a a € tC(A) | a a > 0,tr(cr y i) = 1}. If pa has 
rank 1 it is called a pure state. For technical reasons we also need the notion of sub- normalized states pa € S<(A), 
where S<(A) = {a a € £(A) \ a a > 0,tr(ovi) < !}• We will use the term state to refer to sub-normalized states, 
unless otherwise indicated in context. 

Two systems A and B are combined using the tensor product, written as AB = A ® B . An operator on two 
systems AB is thereby also called bipartite (and multipartite if the number of systems is larger) . Given a bipartite 
state pab G S<(AB), we write pa = tTs[pAB] for the corresponding reduced state, where tr^ is the partial trace over 
B. That is, pa is the state on system A alone. 



Before 58 , security was only shown under the additional assumption that the adversary attacks each qubit individually |91|. Whereas 
this may sound similar to problems in QKD, note that the setting is entirely different when proving security between two mutually 
distrustful parties, and security in QKD does not imply security in this model. 
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It will be convenient to express classical probability distributions as quantum states. For some set X, let {|a;)} a;e ^ 
be an orthonormal basis of the space X where each basis vector \x) corresponds to some particular element x G X . 
A distribution P x over X can now be expressed as 

Px = J2 P x( x )\ x )( x \- ( 4 ) 

We also call this a classical state or a c-state. In general, systems are called classical if they are of the above form for 
some fixed standard basis, often called the computational basis. Naturally, one can now also consider states which 
are classical on system X and quantum on some other system A. Such states have the form 



Pxa = 




We also call such states classical- quantum or cg-states. In general, when indicating that a multipartite state is part 
classical, part quantum we will use c and q to label the classical and quantum systems, respectively. 



2. Quantum operations 

The simplest quantum operation is given by a unitary operator U taking p to UpW. Later on, we will consider 
applying unitary operators only to one part of a multipartite state. When applying U only to system A of pab we 
thereby also use the common shorthand 

UaPabU a = {U® ^■b)pab{U ® Is) t , (6) 

where 1^ denotes the identity in C(B). More generally, for Ma G we write Ma = Ma <8>I.b for the enlargement 

on any AB. Any operation allowed by quantum mechanics can be expressed as a quantum channel. The simplest 

of these is the identity channel. For A, B with orthonormal bases {|*)b}|=i and |^4| = \B\, the canonical 

identity mapping from C(A) to C(B) with respect to these bases is denoted by Xa^b, i- e - 2^4-s-b(|z) O'U) = 

A linear map £a^b ■ ~* £{B) is positive if £a^b{pa) > for all pa > 0. It is completely positive if the map 

(Ea^b ® T-c-^c) is positive for all C . Completely positive and trace preserving maps (CPTMs) are called quantum 

channels. 

Indeed, also a measurement can be described as a quantum channel. Intuitively, a measurement takes a state p to 
one of several possible classical measurement 'outcomes', where each outcome occurs with a certain probability. That 
is, for some fixed measurement a particular state p determines some classical probability distribution over outcomes. 
Recall from Equation ([4]) that we can express this distribution in terms of a quantum state. It will be convenient to 
express this in terms of a quantum channel as the following measurement map, that we will need in Section |III| For 
a bipartite system A — A\Ai, it is defined as Ta^a x ■ — > C(Ai), 

T{.) A ^A 1 = X^ aia2 l(-)l aia2 )l a l)( a ll ' ( 7 ) 

where {|ai)}, {|a2)} are (standard) orthonormal bases of A\,Ai respectively. A small calculation readily reveals that 
this map can be understood as tracing out A2, and then measuring the remaining system A\ in a basis {|ai)}. Note 
that the outcome of the measurement map is classical in the basis {|ai)} on A\. 

Throughout, we will need this measurement map to consider measurements of a specific form. These are formed 
by first applying some particular unitary Uj to the state, followed by the measurement map 1~a^a 1 ■ We denote these 
measurements by 

M{^ Ki (p A ) = T Al ^ Kl (Ta^ Ai (UjPaU})) , (8) 
where the relabeling Ai — > K\ accounts for the fact that the output system is actually classical (a notation that will 



be very useful in Section IV on entropic uncertainty relations). 



3. Distance measures 

We will employ two well known distance measures between quantum states. The first is the L\- or trace dis- 



tance, which is induced by the Li-norm ||p||i = tr 



The trace distance determines the success probability of 



distinguishing two states p and a given with a priori equal probability 
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The second distance measure we will refer to is the purified distance. To define it, we need the concept of generalized 
fidelity between two states p, a, which can be defined as [84], 

F(p, a) = F(p, a) + y/(l - tr[p}) (1 - tv[a]) , (9) 

where F(p,cr) — H^/pv^lli ls the usual notion of fidelity. Note that if at least one of states is normalized, then the 
two notions of fidelity coincide, i.e. F(p,a) — F(p,a). The purified distance between two states p, a is now defined 

as 03 Eg 

P(p,cr) = yJl-F( P ,cT)* , (10) 

and is a metric on the set of sub- normalized states |84j . To gain some intuition about the notion of purified distance, 
note that by Uhlman's theorem [ST] the fidelity between two normalized states p,a can be written as F(p,a) = 
max |p).|<r) K/ 9 ! ')!; where the maximization is taken over all purifications \p)(p\ of p and |cr)(<r| of a. Furthermore, note 
that for pure states \/l — F(\p)(p\, \a)(a\) 2 = ||||p)(p| — |<r)(o-|||i. Hence, for normalized states, we can think of the 
purified distance as the minimal trace distance between any two purifications of the states p and a. The purified 
distance is indeed closely related to the trace distance, as for any two states p, a we have [53] , 

\\\p-<y\\i<P(p,<j) < \/2\\p-°h • (ii) 

It is furthermore easy to see that for normalized states the factor 2 on the right hand side can be improved to 1. 

For any distance measure, we can define an e-ball of states around p as the states at a distance not more than e 
from p. Below, we will apply this notion to the purified distance and define 

B £ ( PA ) = {<J A € S<(A) | P{p A ,<T A ) < e} . (12) 



B. Quantifying information 

The von Neumann entropy of pa € S<(A) is defined as H(A) p = — tr[pA log pa]- Note that for a classical state px 
this is simply the familiar Shannon entropy. The conditional von Neumann entropy of A given B for pab G S< {AB) 
is defined as 

H(A\B) P = H(AB) P - H(B) P . (13) 
The conditional min-entropy of a state pab G S(AB) defined as 10 

H min (A\B) p = max H min (A\B) p \ a , (14) 

<j b £S(B) 

with 

Hmin(A\B) p \ a = max {A e R : 2~ A • I A <8> as > Pab} ■ (15) 

For the special case where B is trivial, we obtain H m i n (A) p — — log ||pa||oo, where ||.||oo denotes the operator norm. 

Whereas this definition may seem rather unwieldy, the min-entropy is known to have interesting operational inter- 
pretations [56 . If A is classical, then the min-entropy can be expressed as H m i n (A\B) p = — logP guess (A|B), where 
-Pguess(^l-B) is the average probability of guessing the classical symbol A = a maximized over all possible measurements 
on B. If A is quantum, then H rn - m (A\B) p is directly related to the maximal achievable singlet fraction achievable by 
performing an operation on B, i.e. it is intuitively related to the amount of entanglement between A and B. 

In practice, the full (operational) use of entropies only comes to play if one works with smoothed entropies. 11 For 
the conditional min-entropy this takes the form 

H^ n (A\B) p = max H min (A\B) p , (16) 

PabSd 6 (Pab) 

where the smoothing parameter e > typically corresponds to an error tolerance in information theoretic operational 
interpretations. For a more detailed discussion about smooth entropies we refer to [2"9l ISlfl 17411551 154] . 



10 We write max instead of sup as we work with finite dimensional Hilbert spaces. 

11 Of course, this is not the case for the von Neumann entropy. But note that the von Neumann entropy usually only has operational 
interpretations in an independent and identically distributed asymptotic setting. In contrast to this, smooth entropies allow the 
quantitative characterization of general (structureless) resources. 
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III. QUANTUM TO CLASSICAL RANDOMNESS EXTRACTORS (QC-EXTRACTORS) 

The use of random bits is of fundamental importance for many information theoretic and computational tasks. 
However, perfect randomness is not easily found in nature. Most sources of randomness only exhibit weak forms of 
unpredictability. In order to use such sources in applications, one has to find a procedure to convert weak randomness 
into almost uniform random bits. Such procedures are usually referred to as randomness extractors, which have been 
extensively studied in the theoretical computer science literature; see |79[ 188] for surveys. 

In a classical world, the sources of randomness are described by probability distributions and the randomness 
extractors are families of (deterministic) functions taking each possible value of the source to a binary string. To 
understand the definition of quantum extractors, it is convenient to see a classical extractor as a family of permutations 
acting on the possible values of the source. This family of permutations should satisfy the following property: for any 
probability distribution on input bit strings with high min-entropy, applying a typical permutation from the family 
to the input induces an almost uniform probability distribution on a prefix of the output. We define a quantum to 
quantum extractor in a similar way by allowing the operations performed to be general unitary transformations and 
the input to the extractor to be quantum. 

Definition III.l (QQ-Extractors). Let A = A^A 2 with n = log \A\. Define the trace-out map tr^ 2 : C(A) — > C(Ai) 
by tr,4 2 (.) = J2 a2 ( a 2\(-)\ a 2) , where {\a 2 }} is an orthonormal basis of A 2 . 

For fc € [— n,n] and e € [0, 1], a (k,e)-QQ- extractor is a set {U\, . . . , Ul} of unitary transformations on A such 
that for all states pae & S(AE) satisfying H m \ n (A\E) p > k, we have 



1 L 



^A 2 



u iPAE uJ 



Pe 



< e 



(17) 



log L is called the seed size of the 



extractor. 



We make a few remarks on the definition. First, we should stress that the same set of unitaries should satisfy ( 17) 
for all states pae that meet the conditional min-entropy criterion H m - m (A\E) p > k. In particular, the system E can 
have arbitrarily large dimension. The quantity H min (A\E) p measures the uncertainty that an adversary has about the 
system A. As it is usually impossible to model the knowledge of an adversary, a bound on the conditional min-entropy 
is often all one can get. A notable difference with the classical setting is that the conditional min-entropy k can be 
negative when the systems A and E are entangled. In fact, in many cryptographic applications, this case is the most 
interesting. 



A statement of the form of Equation (17) is more commonly known as a 'decoupling' result [Tl 1521 1551 H51 1351 Wf\ . 
Note, however, that decoupling does not always lead to the output being close to maximally mixed. Such statements 
play an important role in quantum information theory and many coding theorems amount to proving a decoupling 
theorem. In fact, the authors of [52JI55] showed that a set of unitaries forming a unitary 2-design (see Definition III. 3) 
define a (fc, e)-QQ-extractors as long as the output size log \A\\ < (n + k)/2 — log(l/e). 

A definition of quantum extractors was also proposed in [9l Definition 5.1]. Our definition is stronger in two 
respects. Firstly, we consider strong extractors in that we impose a condition on the average of the trace distance to 
the uniform distribution by contrast to the trace distance of the average. The weaker constraint used by [S] allows 
them to construct quantum extractors with output size equals to the input size. 12 Secondly, we require the extractor 
to decouple the A system from any quantum side information held in the system E. 

In the context of cryptography, a QQ-extractor is often more than one needs. In fact, it is usually sufficient to 
extract random classical bits, which is in general easier to obtain than random qubits. This motivates the following 
definition, where the difference to a QQ-extractor is that the output system A\ is measured in the computational 
basis. In particular, any (fc, e)-QQ-extractor is also a (fc, e)-QC-extractor. 

Definition III. 2 (QC-Extractors). Let A = A\A 2 with n = log \A\, and let Ta^Ai be the measurement map defined 
in Equation Q . 

For k £ [— n,n] and e £ [0,1], a (fc, e)-QC- extractor is a set {U\, . . . ,U~l} of unitary transformations on A such 
that for all states pae € S(AE) satisfying H m i n (A\E) > fc, we have 



1 L 



Ta^aMpaeUI) - 



< Pe 



< e 



(18) 



12 In this case, the net randomness extracted is obtained by subtracting the randomness used for the seed 
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logL is called the seed size of the QC -extractor. 



Observe that Definition |III.2| only allows a specific form of measurements obtained by applying a unitary transfor- 
mation followed by a measurement in the computational basis of A\. The reason we use this definition is that we 
want the output of the extractor to be determined by the source and the choice of the seed. In the quantum setting, 
a natural way of translating this requirement is by imposing that an adversary holding a system that is maximally 
entangled with the source can perfectly predict the output. This condition is satisfied by the form of measurements 
dictated by Definition III. 2 Allowing generalized measurements (POVMs) already (implicitly) allows the use of ran- 
domness for free. Note also, that in the case where the system E is trivial, a (0, e)-QC-extractor is the same as an 
e-metric uncertainty relation [35] - 



A. Examples and limitations of QC-extractors 



Universal (or two-independent) hashing is probably one of the most important extractor constructions, which even 
predates the general definition of extractors [59]. Unitary 2-designs can be seen as a quantum generalization of 
two-independent hash functions. 

Definition III. 3. A set of unitaries {Ui, . . . , Ul} acting on A is said to be a 2-design if for all M 6 £(A), we have 



U® 2 M(U t )® 2 dU 



(19) 



where the integration is with respect to the Haar measure on the unitary group. 

Many efficient constructions of unitary 2-designs are known |27| [39] , and in an n-qubit space, such unitaries can 
typically be computed by circuits of size 0(n 2 ). However, observe that the number of unitaries of a 2-design is at leas t 
L> \A\ 4 — 2\A\ 2 + 2 (3§J . The following is immediate using a general decoupling result from [33] (see Lemma B.l I. 

Corollary III. 4. Let A = A1A2 with n = log | -A | - For all k £ [~n,n] and all e > 0, a unitary 2-design {U±, . 
on A is a (k, e)-QC- extractor with output size 

log \A\\ — min(n, n + k — 2 log(l/e)). 



Ml} 



(20) 

Similar results also hold for almost unitary 2-designs; see [501 EI] • Using [13] , this shows for instanc e tha t random 
quantum circuits of size 0(n 2 ) are QC-extractors with basically the same parameters as in Corollary III. 4 We now 



prove that choosing a reasonably small set of unitaries at random defines a QC-extractor with high probability. The 
seed size in this case is of the same order as the output size of the extractor. We expect that a much smaller seed size 
would be sufficient. 

Theorem III. 5. Let A = A\Ai with n = log | vl| and Ta-^,a x be the measurement map defined in Equation Q. Let 
e > 0, c be a sufficiently large constant, and 



log I Ai| <n + k - 41og(l/e) - c 



as well as 



log L > log I Ai I + log 7i + 4 log(l/e) + c . 



(21) 



Then, choosing L unitaries {Ux, . . . , Ul} independently according to the Haar measure defines a (fc,e)- QC-extractor 
with high probability. 

The proof can be found in Appendix [Cj It uses one-shot decoupling techniques [lOj |32j [33j [80l [81] combined with 
an operator Chernoff bound [3] (see Lemma B.4|. 

We now give some limitations on the output size and seed size of QC-extractors. The following lemma shows 
that even if we are looking for a QC-extractor that works for a particular state pae, the output size is at most 
n + HZf„(A\E) p , where n denotes the size of the input. 

Proposition III. 6 (Upper bound on the output size). Let A — A\A%, pae € S(AE), {U\, . . . , Ul} a set of unitaries 
on A, and Ta-^Ax defined as in Equation such that 



1 L 

i=l 



T A ^ Al {UwaeU}) - 



1 Pe 



< e . 



(22) 



Then, 



log|Ai|<log|A| +J ff^ n (A|E) 



(23) 
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Proof. Consider the projective rank-one measurements {P£} obtained by performing Ui followed by a measurement 
in the computational basis of A. Using the fact that the min-entropy cannot increase by too much when performing 
a measurement (Lemma A. 4), we obtain for all i £ {1, . . . , L} 



hH{A\E) p + log \A\ > H&(Xi\E) P , 



where X* denotes the outcome of the measurement {P^}. But condition (22 1 implies that there exists i 6 {1, . 
such that 



TA^ t A 1 {UiPAEUf^j - t-^t ® p E 



< e. 



By monotonicity of the min-entropy for classical registers [141 Lemma C.5], we have that 

H£l{XAE) p > H^ME)^^^ > log 1^1 , 
which proves the desired result. 



(24) 
.,L} 

(25) 

(26) 

□ 



The following simple argument shows that the number of unitaries of a QC-extractor has to be at least about 1/e. 

Proposition III. 7 (Lower bound on seed size). Let A = AiA 2 . Any (k,e)- QC-extractor with k < log \A\ — 1 is 

composed of a set of unitaries on A of size at least L > 1/e. 



Proof. Let S C [|Ai|] be an arbitrary subset of |^4i|/2 basis elements of Ai. Then consider the state 

2 



PA 



Ul\a 1 a 2 )(a 1 a 2 \U 1 

aie5,a 2 e[|A 2 |] 



Note that T{U x p A U{) = Ea lG s l a i)( a il and tllus \\T{Uip A U\) - rfjr||i = 1. This implies the claim. 



(27) 



□ 



Observe that in the case where the system E is trivial (or classical), it was shown in [35] that there exists QC- 
extractors composed of L = 0(log(l/e)e~ 2 ) unitaries. This is a difference with classical extractors for which the 
number of possible values of the seed has to be at least Q((n — k)e~ 2 ) [71] . 



B. Full set of mutually unbiased bases (MUBs) 

We saw that unitary 2-designs define QC-extractors. As unitary 2-designs also define QQ-extractors, it is natural to 
expect that we can build smaller and simpler sets of unitaries if we are only interested in extracting random classical 
bits. In fact, in this section, we construct simpler sets of unitaries that define a QC-extractor. Two ingredients arc 
used: a full set of mutually unbiased bases and a family of pair- wise independent permutations. 13 

A set of unitaries {Ui, . . . , Ul} acting on A is said to define mutually unbiased bases if for all elements \a), \a') 
of the computational basis of A, we have \(a'\UjUj\a)\ 2 < | ^4 1 1 for all i ^ j. In other words, a state described 
by a vector XJ. \a) of the basis i gives a uniformly distributed outcome when measured in basis j for i =^ j. For 
example the two bases, sometimes called computational and Hadamard bases (used in most quantum cryptographic 
protocols), are mutually unbiased. There can be at most \A\ + 1 mutually unbiased bases for A. Constructions of full 
sets of | A | + 1 MUBs are known in prime power dimensions [TJIHS]. Such unitaries can be implemented by quantum 
circuits of almost linear size; see [351 Lemma 2.11]. Mutually unbiased bases also have applications in quantum state 
determination [52| [95] . 

To state our result, we will need one more notion. A family V of permutations of a set X is pair-wise independent if 
for all x\ 7^ X2 and y\ ^ j/2, and if 7r is uniformly distributed over V, Pr {ir(xi) — yi, tt(x2) = 2/2} = • ^ 

has a field structure, i.e., if \X\ is a prime power, it is simple to see that the family V — {x ^ a- x + b : a £ X* , b G X} 
is pair-wise independent. In the following, permutations of basis elements of a Hilbert space A should be seen as a 
unitary transformation on A. 



The idea of using permutations with mutually unbiased bases goes back to 1501 and was employed in 135) using results from 1401 . 
Permutation extractors were used in a classical context in |72) and state randomization with permutation extractors is discussed in [35] . 
The decoupling behaviour of (almost) pairwise independent families of permutations is discussed in |80l . 



13 



Theorem III. 8. Let A = A\A 2 with n = log|A|, |A| a prime power, and consider the map Ta-^Ax o>s defined in 
Equation Then, if {i7i, . . . , C/^i+i} defines a full set of mutually unbiased bases, we have for S > 0, 



\A\+1 



Per 



Pe 



< 



\Ai\ 



(28) 



where V is a set of pair-wise independent permutation matrices. In particular, the set {PUi : P G V ,i G [|A| + 1]} 
defines a (k,e)-QC- extractor provided 



and the number of unitaries is 



log | Ai| <n + fc-21og(l/e) 



L = (\A\ + 1)\V\ = (\A\ + 1)\A\(\A\-1) 



(29) 



(30) 



The proof can be found in Appendix [C] and uses one-shot decoupling techniques (TU1 [Ml [Ml HOI H5 together with 
ideas related to permutation extractors [351 1501 ISO) . Related theorems with the average taken only over a set of 



pairwise independent permutations were derived in |80j . The idea is to bound the trace norm in Equation ( 28 1 by the 
Hilbert-Schmidt norm of some well-chosen operator. This term is t hen computed exactly using the fact that the set 
of all the MUB vectors form a complex projective 2-design (Lemma B.2|, and the fact that the set of permutations is 
pair-wise independent. 



C. Bitwise QC-extractor 



The unitaries we construct in this section are even simpler. They are composed of unitaries V acting on single 
qudits followed by permutations P of the computational basis elements. Note that this means that the measurements 
defined by these unitaries can be implemented with current technology. As the measurement T commutes with the 
permutations P, we can first apply V , then measure in the computational basis and finally apply the permutation to 
the (classical) outcome of the measurement. In addition to the computational efficiency, the fact that the unitaries act 
on single qudits, is often a desirable property for the design of cryptographic protocols. In particular, the application 
to the noisy storage model that we present in Section [V] does make use of this fact. 

Let d > 2 be a prime power so that there exists a complete set of mutually unbiased bases in dimension d. We 
represent such a set of bases by a set of unitary transformations {Vq, V\, . . . , Vd} mapping these bases to the standard 
basis. For example, for the qubit space (d = 2), we can choose 



V 



1 
1 



1 



1 1 

1 -1 



v 2 



V u J Ul G {0, 



(31) 
,d}}. As 



_L ( 1 * 

We define the set Vd, n of unitary transformations on n qudits by Vd. n '■= {V = V Ul ® • 
in the previous section, V denotes a family of pair-wise independent functions. 

Theorem III.9. Let A = A X A 2 with \A\ = d n , \A X \ = d^ n , \A 2 \ = d^~^ n , and d a prime power. Consider the map 
T~A-^Ax as defined in Equation Then for 6 > and 5' > 0, 

r r 



A-^Ax 



PVp 



AE 







> \A X \ 


3 Pe 



< ^/2( 1 - 1 °g( £i + 1 )+« 1 °g d )»(l + 2- H LA A \ E ) P +z) + 2(5 + 5') , (32) 

where Vd.n is defined as above, V is a set of pair-wise independent permutation matrices, and z = log^g^j + T^j) ■ 
In particular, the set {PV : P G V , V G Vd, n } is a (fc, e)-extractor provided 

log | Ai| < (log(d + 1) - l)n + min {0, k} - 4 log(l/e) - 7 (33) 
and the number of unitaries is 

L = (d+l) n d n (d n -1) . (34) 



The proof can be found in Appendix [C] The analysis uses the same technique as in the proof of Theorem [TTL8J The 
main difference is that we were not able to express the Hilbert-Schmidt norm exactly in terms of the conditional min- 
entropy H m \- a (A\E) p . Instead, we use some additional inequalities, which account for the slightly more complicated 
expression we obtain. 

All results about QC-extractors are summarized in Table ITT] in the discussion section. 
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IV. APPLICATIONS TO ENTROPIC UNCERTAINTY RELATIONS WITH QUANTUM SIDE 

INFORMATION 

The first application of our result is to entropic uncertainty relations with quantum side information. Entropic 
uncertainty relations form a modern way to capture the notion of uncertainty in quantum physics, and have interesting 
applications in quantum cryptography (see (93) for a survey). Intuitively, uncertainty relations aim to address the 
following question. Let p J K denote the distribution over classical outcomes K given by measurement j applied to 
some particular state pa- Consider now a set of L measurements that we could perform on some quantum system 
A. What is the allowed set of L distributions p° K for any quantum state pa 1 - Entropic uncertainty relations capture 
limitations to this allowed set by bounding the entropies of such distributions. Typically, they are stated as an average 
of entropies of the outcome distributions of the different measurements. 

However, with regards to applications in quantum cryptography, it is important to realize that uncertainty should 
not be treated as absolute, but with respect to the prior knowledge of an observer E. This has far reaching conse- 
quences, as it comes to a subtle interplay between uncertainty and entanglement. The effect can be quantified by 
uncertainty relations with quantum side information. Motivated by the case of two measurements [T^[TT?ll!Z2H!?illT3"II55] 
(i.e. L = 2), such relations should tell us that for all states pae, we have 

1 L 

- J2 H(K\E) pJ > c + H(A\E) p , (35) 

where p 3 KE = ■M. :i a . k (pae)> H and H are some conditional entropy measures, and c is a constant depending on the 
choice of measurements {M.\^ K , ■ ■ . , Ma^ k }. Here the conditional entropy term on the rhs can in general become 
negative and is a measure for the entanglement in the pre- measurement state pae ■ Of particular interest are thereby 
the conditional von Neumann entropy, or (smoothed) Renyi entropies. 

In the case of classical side information (E is a classical system), or no side information (E is trivial), many such 
relations are known |93| . Let us now first consider this case in more detail in order to recall some basic facts about 
entropic uncertainty relations. First of all, note that if H is the von Neumann entropy, one can use the chain rule to 



express the l.h.s. of Equation (35 1 as 

1 L 

H{K\J) p = -Y,H{K) p i, (36) 



L 

3=1 



where pxj = \ Ylj=i Pk ® li)01> with p 3 K = M 3 a ^ k {pa) being the classical distribution over measurement outcomes 
when measurement M J A ^ K was performed on pa- For other entropies we cannot simply rewrite the l.h.s. in this 
manner, since no corresponding chain rule exists. Nevertheless, for most other interesting entropies, such as e.g. the 
min-entropy, one can use the concavity of the log to lower bound 



1 L 

7^ffmi„W pJ > - log 



L 



L ^ 

3 = 1 



H min (K\J) p . (37) 



In fact, this and most other entropies uncertainty relations are typically proven by lower bounding H(K\J) p instead 
of the average. That is, existing proofs actually give us 

H{K\J) p > c . (38) 

We will refer to such a relation as a meta-entropic uncertainty relation. Meta-entropic relations are also the ones rele- 
vant for most quantum cryptographic applications and have a foundational significance in quantum information 67 4 . 

Let us now return to the case with quantum side information. The goal of this section is to show that QC-extractors 
lead to meta-entropic uncertainty relations with quantum side information of the form 

H(K\EJ) p >c + H(A\E) p . (39) 



A. Idea 



Our approach of using QC-extractors to derive strong entropic uncertainty relations is based on ideas developed 
in [35] . In fact, as outlined in Section III one can understand the set of unitaries constructed in [35] as QC-extractors 
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without quantum side information. As opposed to |35| , we start with uncertainty relations for the smooth conditional 
min-entropy, since this is the relevant operational quantity to bound for quantum cryptographic applications. We 
first prove a meta-uncertainty relation which is essentially immediate. 

Lemma IV. 1. Let pae G S(AE), and {U\, . . . ,Ul} be a set of unitaries on A with corresponding measurements 
{■M\_^ Kl , • ■ • , M A _^. Kl } as defined in Equation (|8]) ; such that, 



1 L 

3=1 



M 



Spae) 



• Pe 



<eQ>) 



for some e(p) depending on the input state pae- Then 



^^(^il^)p>log|^il 



(40) 



(41) 



where p KlE j = \ E J= i M 3 a _> Ki (pae) ® 

Proof. Note that since \\pKiEj — iKiEj\\i < e{p) with lk x ej — j-fe- ® Pej, we have by Equation (11) applied 
to normalized states that P(pk 1 e.j, l ) < \/^ £ {p)- It then follows immediately from the definition of the smooth 

conditional min- entropy (Equation ^) that H^*\k x \EJ) p > H mU {Ki\E J) Our claim now follows by noting 
that H^KxlEJ)^ H mln (K x ), = log 1^]. □ 

Uncertainty relations for the conditional von Neumann entropy can be obtained as follows. 

Lemma IV. 2. For the same premises as in Lemma \lV.l\ we have 

1 L 

-Y i H{K 1 \E) pj =H{K l \EJ) p >{l-A £ {p))\og\K 1 \-2h{e{p)) , 

3=1 



(42) 



where p° KiE = M a _+ k Jj>ae) and p KlEJ = ± Pk x e ® b')0'U- 

Proof. By assumption we have 



PKxEJ 



\Ki\ 



PE.J 



<e(p) 



and hence the improved Alicki-Fannes inequality 4 immediately implies that the claim. 



(43) 



□ 



So far, we have merely made a few rather simple statements, and it is not easy to see how these uncertainty relations 
should at all take quantum side information into account. This link is forged by the exact form of the approximation 
parameter e(p) for QC-extractors. We again start with the min-entropy case. 



B. Uncertainty relations for the min-entropy 



To get some intuition of how our line of proof works, let us now consider two simple examples in detail - bounds 
for all constructions are summarized in Table |Il 



1. Exact unitary 2-designs 

As an illustrative warmup, we consider measurements formed by applying a unitary Uj drawn from an exact unitary 
2-design to A = A1A2, followed by a measurement of A in the standard basis leading to a classical outcome register 
K. Denote this measurement by Ai 3 A ^ K . Note that we can perform the measurement in two steps. First, we measure 
Ax to obtain a classical outcome K±. Second, we measure A 2 to obtain a classical outcome K 2 . Let us first consider 
only the outcome K\, tracing over the resulting classical register K 2 . This then corresponds to the measurements 
A4 A ^ Ki generated by the unitaries Uj (cf. Equation ([8])) drawn from the exact unitary 2-design. 
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As outlined in Section III and Lemma B.l the general decoupling results of [3H [33J immediately imply that the 
set of such measurements forms a QC-extractor with 

e(p) = 2 -M"»i=(^),+i°g|A a |) +26 ; (44) 

for any S > 0. Intuitively, e{p) becomes larger if E is highly entangled with A and smaller if we trace out a larger 
chunk A2 from the initial system. Let us suppose we would like to have an entropic uncertainty relation with respect 
to quantum side information for some particular fixed e' — e(p). Do there exist measurements that give us such a 
high amount of uncertainty? Our results from the previous section tell us that such measurements do indeed exist, if 
we choose A2 from the combined system A = A1A2 large enough. In particular, choose A2 such that 

\A 2 \ = 1 —. 2 - H ^ A ^. (45) 

Using that log \ K\\ = log \Ai \ = log \A\ — log \A 2 | we have by Lemma IV. 1 and the monotonicity of the min-entropy 
for the classical register K2 [HJ Lemma C.5] that, 



K^'{K\EJ) p > H^'iK^EJ), > log \A\ - log + H s min (A\E) p , (46) 

\ (e - 2d) j 

where pkej = \ J2j M 3 a ^ k {pae) ® \j)(j\.J- We set e' — e 2 /2 and conclude that for any e > and S > 0, 

H^ n (K\EJ) p > log I A\ - log ( 1 ) +H s min (A\E) p . (47) 

\{£ 2 /2-25) ) 

Note that since l.h.s. is in fact upper bounded by log \A\ = log \K\, this uncertainty relation is very strong as long as 
|j4| is sufficiently large. To gain some intuition about this bound, consider the case of trivial side information E for 
which iJ min (A|S) p - H min {A) p > 0. 



2. Full set of MUBs 

As the second example we consider a measurement oi A = A1A2 in the full set of \A\ + 1 MUBs. As mentioned 
before, it is known that whenever |^4| = p k with p prime, such a set exists [71 [S5J. As before, we denote the classical 
outcome of measuring A — A1A2 with K = K\K.2- Let us now first consider a post-processing of this measurement. 
In particular, suppose that we randomly choose a two-wise independent permutation ir over \A\ to obtain the string 
11(^1^2), and trace out a system of size log IA2I at the end. Let Kn denote the resulting string. Note that this can 
be understood as a new set of measurements. As shown in Theorem |III.8| these form a QC-extractor with 



for any <5 > 0. To obtain a meaningful uncertainty relation, let us now again fix some particular e' = e{p) and choose 



£(p) = VL4TTI 2<in(A|£)p + 25 ' (48) 



\Ai\ accordingly. By rearranging the terms in (48) we obtain 



log L4 X | = log (\A\ + 1) - log ( (^W ) + H ^n(A\E) p . (49) 

As above, one may now immediately write down uncertainty relations for the new, larger, set of measurements. 
Intuitively, it is clear however that adding the additional permutation does not change matters - after all entropic 
measures only depend on the distributions and are invariant under rclabclings of the actual symbols. This can be seen 
more formally as well by noting that Xl{K\K2) can be computed from K1K2 and II. We thus have for e = V2e* > 
and S > that, 

H s min (K\EJ) p > H^ in (K\EJU) p - H^ n (U(K)\EJU) p > H s min (K n \EJU) p (50) 

> log (\A\ + 1) - log ( - 1 ] + H 5 min (A\E) p , (51) 
\{s 2 /2-26) J 

where the first step follows because conditioning reduces the min-entropy [84] Theorem 18], the second from the fact 
that II(A") can be computed from K and LI [84[ Lemma 13], the third from the monotonicity of the min-entropy for 



a classical register [T?J Lemma C.5], and the last one from Lemma IV. 1 and Equation (W9 
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3. Single-qudit measurements 



From the point of view of applications, the following entropic uncertainty relation for single-qudit measurements is 
probably the most interesting. It can be seen as a generalization to allow for quantum side information of uncertainty 
relations obtained in [25] . 

Theorem IV. 3. Let d > 2 be a prime power. For any state pae, we have 
H^ in (K\EJ) p > n ■ (log(d + !)-!) + min [o, H s min (A\E) p - log ( A + -1\ j _ l og 



(e 2 /2 - 26 - S') 2 



where Pkej — (d+i) n ■M'a-^K ® an ^ ^ e measurements ■M 3 A ^ K correspond to measuring each audit in a 

basis from a set of MUBs. 

We summarize the various uncertainty relations relations for the min-entropy in the following table. 



Unitary 2-design 



Almost unitary 2-design 



All \A\ + 1 MUBs 



Single qudit MUBs 



Lower bounds for the smooth conditional min-entropy H^ nin (K\EJ) p 



log\A\+Hi in (A\E) p 



log |A| + HtUA\E)„ - ( {e2/ l 25 y ) - l-f; ( I - , l 



(e 2 /2-2S)' 



\og{\A\ + l) + H 5 min (A\E) p 



(e 2 /2-25)' 



(log(d + 1) ^ 1) + min {o, H s min (A\E) P - log (^ + ^) } - log 



i 

(e 2 /2-2S-5')' 



- 1 



TABLE I: Entropic uncertainty relations with quantum side information for the smooth conditional min-entropy for approxi- 
mation parameters e > 0, £ > 0, r\ > 0, S > 0, and 8' > 0. The almost unitary 2-design has an approximation parameter of 

41 5.4 and can be sampled from using a random quantum circuit of size O (log 1.4.1 (log|A|+log(±))) glEUISI]- 



C. Uncertainty relations for the von Neumann entropy 

Let us now turn to entropic uncertainty relations in terms of the von Neumann entropy. To this end, we again 
consider the same two examples. 



1. Exact unitary 2-designs 



First, we again consider a set of measurements given by a unitary 2-design. Using (45) and the fact that log \K\\ — 
log \ A\ | = log \ A\ — log |^2 1, we obtain from by the monotonicity of the von Neumann entropy and Lemma IV. 2 that 
for e > and 8 > 0, 



l:J2H(K\E) p] > i ^2 H(Ki\E)pj > (l-4e) (bg \A\ + H s min (A\E) P - log ^ - _^ )2 ^ j -2h(e) 



(52) 



2. Full set of MUBs and single qudit MUBs 
Similarly for the full set of \A\ + 1 MUBs, we get as in the min-entropy case that for e > and 6 > 0, 

j H ( K \ E )pi = H{K\EJ)p > H(K\EJTl) = H(U{K)\EJIl) > H{K u \E,m) (53) 



L 

3 



U - 4.-) ( I.* I ,l| + 1 ) + //;;,„,(. 1 E)„ - lo,, ( {£ ^ 2S)2 ) j -->/,(.-) . (oJ.) 
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where the first step follows from the chain rule for the von Neumann entropy, the second from the fact that conditioning 
reduces entropy, the third because Tl(K ) can be computed from K and II, the fourth from the monotonicity of the 



von Neumann entropy for a classical register, and the last from Lemma IV. 2 together with Equation (49 1. 

Glancing at both uncertainty relations, it seems rather unsatisfying that we have a mix of entropies. That is, on the 
left we quantify information in terms of the von Neumann entropy, whereas on the right we employ the min-entropy. 
Can we derive a relation solely in terms of the von Neumann entropy? As we prove in Appendix [D] this is indeed the 
case, where we use the fact that the smooth min-entropy approaches the von Neumann entropy in the asymptotic 



limit of many copies of the state (Lemma A. 5 ) 



Proposition IV. 4. Let d > 2 be a prime power, and {Vo, Vi, . . . , Vd} define a complete set of MUBs ofC . Consider 
the set of measurements {M J A ^ K : j G [(d + 1)™]} on the n audit space A defined by the unitary transformations 
{V = V Ul ® • • • ® V Un \ui e {0, . . . , d}}. Then for all p A E € S{AE), we have 



1 



(d+i)" 

H{K\E) p3 > n • (log(d + 1) - 1) + min {0, H(A\E) p } , (55) 

3=1 



where p> — M\^ K (p) 



Note that for n = 1, this again gives an uncertainty relation for the full set of MUBs, but now a 'complete' von 
Neumann entropy version 

, d+1 

— H(K\E) p] > \og{d + 1) - 1 + min {0, H(A\E) p } . (56) 
To understand this bound it is again instructive to consider some special cases. Note that for E trivial, we arrive at 

, d+1 

— ^Tff^V >log(d+l)-l , (57) 

3=1 

which is the best known bound for a full set of MUBs and general d [53 [75] . But it is also known that without side 
information and d even, this can be improved to [77] 

For one qubit (d = 2) the latter gives 2/3 (which is known to be tight, e.g. for the Pauli matrices), whereas our bound 
gives log 3 - la 0.585. 

D. Conclusions 

Previously, uncertainty relations with quantum side information were only known for two measurements [1211191 [22T - 
1241 1731 185] . As shown above, however, any QC-extractor yields an uncertainty relation that takes quantum side 
information into account. Tables [I] summarizes the uncertainty relations for the min-entropy obtained for the particular 
QC-extractors from this paper. For the von Neumann entropy uncertainty relations, we would mainly like to point 



to Proposition IV. 4 and Equation (|56|, which can be understood as the generalization of a well known entropic 



uncertainty relation without quantum side information (Equation (57l). 



APPLICATIONS TO SECURITY IN THE NOISY-STORAGE MODEL 



As the second application, we solve the long standing question of relating the security of cryptographic protocols 
in the noisy-storage model j58[ [78l [901 E] to the quantum capacity. 
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A. Model 

Let us first provide a brief summary of the noisy-storage model - details can be found in [58] . The central assumption 
of the model is that during waiting times At introduced into the protocol, the adversary can only store quantum 
information using a limited and unreliable quantum memory device. This is indeed the only assumption on the 
adversary who is otherwise all powerful. In particular, he can store an unlimited amount of classical information, 
and perform any operation instantaneously. The latter implies that he is able to perform any encoding and decoding 
operations before and after using his memory device, even if these may be difficult to perform. 

Mathematically, such a quantum storage device is simply a quantum channel T : B(H m ) — > B(Hout) mapping input 
states on the space T-L lri to some noisy output states on the space % on t ■ Of particular interest are thereby input spaces 
of the form T-L ln = (C d )® N and channels JF — N® N with AT : B(Hi n ) — > B(H ut)- This corresponds to a memory device 
consisting of iV d-dimensional 'memory cells' each of which experiences a noise described by the channel Af. A special 
case of this model is thus the bounded quantum storage model where d = 2, and T = I2 is the one qubit identity 
channel [531 HI] ■ For a protocol using BB84 encoded qubits it is known that security can be achieved whenever N is 
strictly less than half the number of qubits sent during the course of the protocol [5 8) . 

B. Security of existing protocols 

1. Weak string erasure 

How can we hope to show security in such a model? In |58j it was shown that bit commitment and oblivious 
transfer, and hence any two-party secure computation [53], can be implemented securely against an all-powerful 
quantum adversary given access to a much simpler primitive called weak string erasure (WSE). The latter primitive 
was then proven secure in the noisy-storage model. It is hence enough to prove the security of WSE, and we will 
follow this approach here. 

The motivation behind the primitive weak string erasure was to create a basic quantum protocol that builds 
up classical correlations between Alice and Bob which are later used to implement more interesting cryptographic 
primitives. Informally, weak string erasure achieves the following task - a formal definition |58l I63| can be found 
in the appendix. WSE takes no inputs from Alice and Bob. Alice receives as output a randomly chosen string 
X n = Xi, . . . , X n £ {0, 1}™. Bob receives a randomly chosen subset I £ [n] and the substring X% of X n . Randomly 
chosen thereby means that each index i £ [n] has some fixed probability p of being in I. Originally, p = 1/2 [58], 
but any probability < p < 1 allows for the implementation of oblivious transfer |63| . The security requirements of 
weak string erasure are that Alice does not learn I, and Bob's min-entropy given all of his information B is bounded 
as H m i n (X\B) > An for some parameter A > 0. To summarize all relevant parameters, we thereby speak of an 
(n, A, e,p)-WSE scheme. 

2. Protocol for weak string erasure 

We now construct a very simple protocol for weak string erasure, and prove its security using our bitwise QC- 
randomness extractor. The only difference to the protocol proposed in [58) is that we will use 3 MUBs per qubit 
instead of only 2. For sake of argument, we state the protocol in a purified form where Alice generates EPR-pairs 
and later measures them. Note, however, that the protocol is entirely equivalent to Alice creating single qubits and 
sending them directly to Bob. In the purified protocol, the choice of bit she encodes is determined randomly by her 
measurement outcome in the chosen basis on the EPR-pair. That is, honest Alice and Bob do not need any quantum 
memory to implement the protocol below. Indeed, this is the way such protocols are typically implemented in practice. 
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Protocol Weak string erasure (WSE): Outputs: x n g {0, 1}™ to Alice, (l,z^) g 2^ x {0, l}! 1 ! to Bob. 

1. Alice: Creates n EPR-pairs $, and sends half of each pair to Bob. 

2. Alice: Chooses a bases-specifying string 9 n £r {0,1,2}™ uniformly at random. For all i, she measures the 
i-th qubit in the basis 9i to obtain outcome Xi. 

3. Bob: Chooses a basis string 9 n g# {0,1,2}" uniformly at random. When receiving the i-th qubit, Bob 
measures it in the basis given by 9i to obtain outcome Xj. 

Both parties wait time At. 

4. Alice: Sends the basis information 9 n to Bob, and outputs x n . 

5. Bob: Computes I = {ie [n] \ 9i = 9i}, and outputs (I, z' 1 ') := (X,Xx), 



The proof of correctness of the protocol, and security against dishonest Alice is identical to [58l [63] . It essentially 
follows from the fact that Bob never sends any information to Alice. The main difficulty lies in proving security 
against dishonest Bob. Before embarking on a formal proof, let us first consider the general form that any attack of 
Bob takes (see Figure [T]) . First of all, note that the noisy-storage model only assumes that Bob has to use his storage 
device during waiting times At. That is, when attacking the protocol above he can in fact store the incoming qubits 
perfectly until the waiting time, i.e., until all n qubits arrived. Let Q denote Bob's quantum register containing all n 
qubits. Note that since there is no communication between Alice and Bob during the transmission of these n qubits, 
we can without loss of generality assume that Bob first waits for all n qubits to arrive before mounting any form of 
attack. 

As any operation in quantum theory is a quantum channel, Bob's attack can also be described by a quantum 
channel £ : S<(Q) —> S<(Hi n <S> M). This map takes Q, to some quantum state on the input of Bob's storage device 
("Hin), and some arbitrarily large amount of classical information (M). For example, £ could be an encoding into an 
error-correcting code. By assumption of the noisy-storage model, Bob's quantum memory is then affected by noise 
J- : 6><("Hin) — > S<(H ou t). After the waiting time, the joint state held by Alice and Bob in the purified version of the 
protocol, i.e., before Alice measures, is thus of the form 

Pabm =Ia® [{J 7 ® 1 M ) o £] (3>® n ) , (59) 

where $ is an EPR-pair. After the waiting time, Bob can perform any form of quantum operation to try and recover 
information from the storage device. Note that in principle, Bob's goal is to recover X alone for which he could 
potentially use his basis information 0. Yet, we will see in Section |V C| that we can ignore the basis information in 
the analysis. That is, we only need to analyze decoding maps T> : S< (Hi n ® M) — > S< (Q') trying to recover the initial 
entanglement between Alice and Bob. 



C. Security and the quantum capacity 

Recall from the definition above that our goal is to show that H^ nin (X\BMQ) p > A • n for some parameter A. How 
could we hope to accomplish this? Although it was always clear that security should be related to the channel's ability 
to store quantum information, i.e., the quantum capacity of J 7 , proving this fact has long formed an elusive problem. 
Partial progress to answering this question was made in |58) and |llj . where security was linked to the classical 
capacity and entanglement cost of J 7 , respectively. Why would this problem be difficult? Note that we wish to make 
a statement about some classical information X obtained by measuring A in bases 0. That is, we effectively ask for 
an uncertainty relation for said measurements. Previously, however, suitable uncertainty relations were only known 
for classical side information. The missing ingredient is thus an uncertainty relation with quantum side information, 
linked to the channel's ability to preserve quantum information. 

Indeed, one application of our QC-extractors is to provide such a relation, where for the protocol above we will 
need the relation for 3 MUBs per qubit given in Table |TJ For E — BM on pabmq it reads 

H e min (X\BMQ) p > (log(3) - l)n + min{0, H min (A\BM) p } . (60) 

Note that the operational definition of the smooth conditional min-entropy already incorporates any guessing attack 
Bob may mount on BMQ. Clearly, not all QC-extractors are useful for protocols such as the above, as we must 
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FIG. 1: Any attack of dishonest Bob is described by an encoding attack £ and a 'guessing' attack, since for classical X the 
min-entropy H m in(X\BM@) is directly related to the probability that Bob guesses X. As we will see below, it is however 
sufficient to consider how well a decoding attack T> can preserve entanglement between Alice and Bob, where T> acts on BM 
on the state pabm from Equation (|59[) at the marked point in time. 



ensure that there exists a strategy for the honest players to succeed. However, any bitwise QC-extractor will do. How 
can we now relate this expression to the quantum capacity? Note that the min-entropy has an appealing operational 
interpretation [36 as 

H min {A\BM) p = - log \A\ max F($aa>,Ia ® Hpabm)) , (61) 
where <&aa' is the maximally entangled state accross AA'. That is, the min-entropy is directly related to the 



'amount' of entanglement between A and E — BM. To place a bound on (60), we would like to obtain a lower 
bound on 

mm H min (A\BM) p , (62) 
where the minimization is taken over all encoding attacks described above. Note that this expression does not depend 



on the basis information 9, and that the map A in (61 1 can be understood as a decoding attack V aiming to restore 
entanglement with Alice. Further, note that \A'\ = \Q\ and we can equivalently upper bound 

maxF {®abJa ®[Do(F® 1 m ) o £} ($ AQ )) = maxF c (V o (F ® X M ) o £) . (63) 

The quantity F c on the r.h.s., however, is precisely the channel fidelity [8 j of Do (J 7 ® Tm) ° £ , maximized over all 
encodings and decodings where we are allowed free forward classical communication (M). 

Why is this quantity interesting? When talking about a channel's ability to carry information, we need to agree 
on what it means to send information reliably. The channel fidelity is one of the measures in which the quantum 
capacity can be expressed |59j . For the storage device F, the quantity 

n = max log \A\ (64) 
s.t. max F c (Vo (F ®1 M ) ° S) > l-e , (65) 

tells us how much entanglement, or equivalently how many qubits [8], we can send through T with an error of at 
most e, using free feed forward classical communication (M). For e — > 0, this quantity is also known as the one-shot 
quantum capacity of F itself, no matter what form F takes. 

Let us now consider storage devices of the form F = Af® N . Recall that the capacity of the channel Af is the 
maximum rate R — n/N at which we can send n (qu)bits reliably by using the channel Af N times. For channels 
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jr = j\f®N ^ th e q uan tity R = n/N with n from Equation (64) thus determines the maximum rate at which we can send 



information with error e for any finite N. The usual quantum capacity with classical feed forward communication 
Q_ ¥ (Af) is then given by taking the limit N — > oo and e — > 0. 

Whereas one might think that forward classical communication helps, it is in fact known that it does not affect 
the quantum capacity since for any scheme that achieves error e using classical forward communication, there exists 
a scheme without any classical communication with error at most 2e [8]. Note that there are several definitions of 
the quantum capacity using e.g. the entanglement fidelity or the distance from the identity channel in diamond norm 



as a measure of success, however, all such definitions lead to the same capacity 59J. Combining Equation (60) and 



Equation ( 63 ) thus finally relates the security in the noisy-storage model to the quantum capacity Q-> (TV) of the 
storage device. 14 

D. Security parameters from a strong converse 

How can we now obtain explicit security parameters from this? We first make a statement analogous to |58l 
Theorem III.2.i] for arbitrary channels J- . 

Theorem V.l. Let Bob's storage device be given by T . For any choice of constant parameters e,8' > 0, Protocol 1 
implements (n, A,e, l/3)-WSE with 

A = log(3) - 1 - - max j 0, max log 2 n F c (V o (F <g) X M ) o £ ) + A (£ + 1) , (66) 

n [ T>,£ J n 



where k = log (2/<S' 2 + f) and £ = log (l/ (e 2 /2 - <S') 2 ) . 



Proof. The proof of correctness of the protocol, and security against dishonest Alice is identical to [S51 [S3] and does 
not lead to any error terms. As shown in Section |IV| any QC-extractor yields an entropic uncertainty relation with 
quantum side information. For the case of 3 MUBs per qubit as in the protocol above, this uncertainty relation (see 
Table |T] with 5 = 0) is given by 

H e min (X\BMQ) p > n ■ (log(3) - f ) + min {0, H min {A\BM) p - K } - £ - 1 . (67) 

Note that any decoding attack of Bob is absorbed into the operational interpretation of the min-entropy. As outlined 
above, it also follows from the operational interpretation of the min-entropy that for any encoding £ and decoding T> 
attack of Bob 

H min (A\BM) p >-\o g 2 n F c {Vo{F®l M )o£) . (68) 



Together with Equation (67) this yields our claim. □ 



Second, we consider a case of practical interest, i.e., channels of the form T = AT® N . Let us first establish some 



basic limits to security in this case. Note that for rates R < Q^(AT), we have from Equation (64) that information 
can be sent reliably. That is, cheating Bob is able to store the transmitted qubits perfectly whenever Alice sends less 
than n = RN < Q^(Af)N qubits. Note that 

R = - , (69) 
v 

and thus in terms of the storage rate v this condition reads f < Q^(J\f) ■ v. Clearly, security cannot be obtained in 
this case. 



14 Note that this also relates security to the one-shot capacity Q^-> (J 7 ) of an arbitrary channel T . 
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1. Strong converse parameter 



But what happens for R > Q_>(AQ? A weak converse for the quantum capacity states that for any encoding £ and 
decoding scheme T>, the channel fidelity is bounded away from 1. A strong converse states that for any encoding and 
decoding scheme 



F c (Vo{T®l M )°£)<1-"< Q{M < R) - N 



(70) 



where 7^ (Af, R) > is the strong converse parameter of the channel Af at rate R. We are now ready to make a 
formal statement of security. For this special case we obtain the following corollary by combining Theorem |V.1[ 
Equation ( 70 ) and N = v ■ n. 

Corollary V.2. Let Bob's storage device be of the form T = Af® vn with v ■ Q^(Af) < 1 and either v ■ j®(Af, 1/v) > 
2 — log(3) or v ■ (A/ - , 1/v) < 1 + n/n. For any choice of constant parameters e,6' > 0, Protocol 1 implements 
(n,X,E,l/3)-WSE with 



A = log(3) - 1 - max (o, v • 7 Q (A", 1/v) - 1 --)--(£ + 1) 
I n J n 



(71) 



where k = log (2/S 12 + l) and £ = log (l/ (e 2 /2 - <S') 2 ) . 



Note that at first glance, the condition v ■ j®(Af,R) > 2 — log(3) seems to favor large v. However, note that 7^ 
will be larger if the rate R = 1/v at which we send information is higher. An illustrative example is provided below. 

Given (AT) and 7^ (Af, R) we can thus in principle apply the theorem above to evaluate security parameters for 
any choice of Af. Yet, it should be emphasized that determining the quantum capacity of a channel is in general a very 
hard problem. Indeed, with the exception of so-called degradable channels, determining the quantum capacity of even 
rather innocent looking channels forms an elusive problem (see e.g. [68] and references thcrin). For example, even 
for the depolarizing channel which either outputs the original state with some probability r, or otherwise replaces it 
with the fully mixed state, mere bounds on the quantum capacity are known. Since a strong converse implies a sharp 
bound for information transmission, the existence of a strong converse for rates R above a certain threshold places a 
bound on the capacity. Hence, it is not surprising that determining the strong converse parameter for a channel Af 
when sending information at a rate R poses a challenge. For a long time it was only known that such a parameter 
exists for R > Ce(A/)/2, where Ce{AT) is the classical entanglement assisted capacity of Af. Indeed, the first further 
result was obtained only very recently by showing 7^ (A", R) > for R > E c (Af) , where E c (Af) > Q-> (Af) is the 
entanglement cost of Af, capturing aspects of how well quantum rather than classical information can be transmitted 
through A" [TT] . 



2. Example: bounded storage 



Yet, to get some intuition about the parameters above, let us now consider the example of bounded, noise-free, 
storage. The quantum capacity of the one qubit identity channel Af = I2 is simply Q_ ¥ (T2) — 1. A strong converse is 
easy to obtain For completeness, we here provide a simple argument with slightly better parameters in the case 
of classical forward communication. 

Lemma V.3. The strong converse parameter of the one qubit identity channel obeys jQ(X2, R) = R — 1 > 0. 
Proof. Consider a decomposition of the encoding and decoding map in terms of their Kraus operators as £ (p) = 



J2j EjPEj an d Tf(p) = J2k m Dk,mpD\ m where D km = D km ® |m) (m|. Note that wlog the latter has this form since 

it is processing classical forward communication on M. Let Uk, m denote the projector onto the subspace that Dk, m 
maps to. We can now bound 



F c (Vo(Xf N ®T M )o£) 



E 

jkm 



tr 



<E tr 

jkm 



Dl-rn.Ei 



Dl-m.Ei 



< 2 -{R-l)N tx 



Vo£ 



2 NR 

I 

jNR 



tr 



2 NR 



\2 NR 



(72) 

(73) 

(74) 
(75) 
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where the first equality is a standard rewriting QUI, the second is given by the Cauchy-Schwarz inequality, and the 
last equality is given by the fact that V and S are trace preserving. □ 



Plugging this strong converse parameter into Theorem V.l and noting that R = 1/v we obtain the following 



Corollary V.4. Let Bob's storage device be of the form T — lf un with v < log(3) — 1 ~ 0.585. For any choice of 
constant parameters e, 5' > 0, Protocol 1 implements (n, A, e, 1/3)- WSE with 

A = (log(3)-l)-i/-i(/e + C + l) , (76) 
n 



where k 



log (2/5' 2 + 1) and £ = log (l/ (e 2 /2 - <S') 2 ) . 



We note that for the case of bounded storage in an independent and identically distributed asymptotic setting, that 
is J- = T® vn with n — > oo, the parameters obtained here are slightly worse than what was obtained in [63], where 
security was shown to be possible for v < 2/3 instead of v < 0.585. This is due to the fact that the l ower bound 
0.585 in our uncertainty relation stems from an expression involving the collision entropy (see Appendix A 1 for the 
definition) rather than the Shannon entropy. We emphasize however, that due to finite size effects our bound is still 
better in the practically relevant regime of n < 10 6 (for the same security parameters). 



VI. DISCUSSION AND OUTLOOK 



Motivated by the problem of using physical resources to extract true classical randomness, we introduced the concept 
of quantum-to-classical randomness extractors. We emphasize that these QC-extractors also work against quantum 
side information. We showed that for a QC-extractor to distill randomness from a quantum state pae, the relevant 
quantity to bound is the conditional min-entropy H ux i n (A\E) p . This is in formal analogy with classical-to-classical 
extractors, in which case the relevant quantity is H m i n (X\E) p . 

We proceeded by showing various properties of QC-extractors and giving several examples for QC-extractors. In this 
context, it is illustrative to compare our results about QC-extractors with CC-extractors (holding against quantum 
side information as well). This is done in Table |ll] 





CC-extractors 


QC-extractors 


Seed 


Lower bound 
Upper bounds 


log(n-fc)+21og(l/e) [71] 

log(n-fc) + 21og(l/e) (NE) 
c ■ log(7i/e) gD] 


Iog(l/e) 

m + logn + 41og(l/e) [Tb 
3n [Th III.8 


m.5 


(NE) 


Output 


Upper bound 
Lower bound 


fe-21og(l/e) EE] 
fe-21og(l/e) [4SG21E6] 


n + H£ n (A\E) [Pr 
ra + fc-21og(l/e) [T 


III.6 
h III. 





TABLE II: Known bounds on the seed size and output size in terms of (qu)bits for different kinds of (k, e)-randomness extractors, 
n refers to the number of input (qu)bits, m the number of output (qu)bits and k the min-entropy of the input H m i n (A\E). 
Note that for QC-extractors, k can be as small as —n. Additive absolute constants are omitted. The symbol (NE) denotes 
non-explicit constructions. 

It is eye-catching that there is a vast difference between the upper and lower bounds for the seed size of QC- 
extractors. We were only able to show the existence of QC-extractors with seed length roughly the output size m, 
but we believe that it should be possible to find QC-extractors with much smaller seeds, say 0(polylog(n)) bits long, 
where n is the input size. However, completely different techniques might be needed to address this question. 

It is interesting to note that our results do indeed lend further justification to use Bell tests to certify randomness 
created by measuring a quantum system [2,, 20\ 1211 169] . Note that for a tripartite pure state pabe where we want 
to create classical randomness by means of QC-extractors on A, we have to find a lower bound on H m i n (A\E) p . But 
by the duality relation for min/max-entropies we have H m i n (A\P>) p = —H nlllx (A\B) p [84], where the latter denotes 
the max-entropy as introduced [56) . Since H max (A\B) p is again a measure for the entanglement between A and B, 
one basically only has to do entanglement witnessing (e.g., Bell tests consuming part of the state) to ensure that 
the QC-extractor method can work (i.e. that H m i n (A\E) p is large enough). Note that any method to certify such an 
estimate would do and we could also use different measurements during the estimation process and the final extraction 
step. It would be interesting to know, if by using a particular QC-extractor, one can gain more randomness than 
in [U [5UJ [5TJ [53]. In [2], it was also remarked that if we want to extract randomness from A and B, then it is not 
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necessary for the joint state across A and B to be maximally entangled. Note that this is indeed intuitive as the 
amount of extractable randomness in this case is determined by H m i n (AB\E) together. 

As the first application, we showed that every QC-extractor gives rise to entropic uncertainty relations with quantum 
side information for the von Neumann (Shannon) entropy and the min-entropy. Here the seed size translates into the 
number of measurements in the uncertainty relation. Since it is in general difficult to obtain uncertainty relations for 
a small set of measurements (except for the special case of two), finding QC-extractors with a small seed size is also 
worth pursuing from the point of view of uncertainty relations. 

As the second application, we used the bitwise QC-extractor from Section |III C| to show that the security in the 
noisy storage model can be related to the strong converse rate of the quantum storage; a problem that attracted 
quite some attention over the last few years. Here one can also see the usefulness of bitwise QC-extractors for 
quantum cryptography. Indeed, any bitwise QC-extractor would yield a protocol for weak string erasure. Bitwise 
measurements have a very simple structure, and hence are implementable with current technology. In that respect, it 
would be interesting to see if a similar QC-extractor can also be proven for only two (complementary) measurements 
per qubit. This would give a protocol for weak string erasure using BB84 bases as in [58] , 

We expect that QC-extractors will have many more applications in quantum cryptography, e.g., quantum key 
distribution. One possible interesting application could be to prove the security of oblivious transfer when purifying 
the protocol of |58j . Yet, it would require additional concepts of 'entanglement sampling' which still elude us. 
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Appendix A: Properties of Smooth Entropy Measures 



1. Collision entropy and alternative smooth entropies 



For technical reasons, we need some more entropic quantities. We start with the quantum conditional collision 
entropy. For a state p A B € S(AB) relative to a state a B € S(B), it is defined as 

H 2 (A\B) pla = -logtr[(I A ® a- 1/4 ) PAB (l A ® a B 1/4 )\ 2 , (Al) 

where the inverses are generalized inverses. 15 Next we introduce the following alternative smooth conditional min- 
entropy. For a state pab € S(AB) it is defined as 

H^ in (A\B) p]p = max H min (A\B) plp . (A2) 

Pab£B c (pab) 

We will also need the conditional max-entropy 

H max {A\B) p = max log F{p AB , U ® o B f , (A3) 

ob€.S(B) 

and its smooth version 

H^ ax (A\B) p = _ min H m ^(A\B) p . (A4) 

PAB£B e (pab) 

The following lemma relates the collision and the min-entropy. 



15 For Ma £ C(A), Mj^ is a generalized inverse of Ma if M^M^ 1 = Mj^Ma = supp(Ma) = supp(Af A 1 ), where supp(.) denotes the 
support. 
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Lemma A.l. Let pab S S<(AB) and as € S(B) with supp(pab) Q Ia <8 supp (<tb), where supp(.) denotes the 
support. Then 



H min (A\B) p[a < H 2 (A\B] 



(A5) 



Proof. We have supp(pab) Cl^® supp(ps) and hence by [Ml Lemma B.2] 

H miTl {A\B) p]ry = -log max tr cj^b ( IU ® ^ B 1/2 ) p AB (l^ <g) cr B 1/2 ) 

UiaCS(AB) I. V /V / 

where the inverses are generalized inverses. But for pab = t p , AB i € S(AB) we have, 



H 2 {A\B) pW = - log tr 



PAS 



tr[pA 

^fi 1,72 ) PAB (lA ® CT^ 1 



/2 



= -logtr [p^s] ^ logtr 
> — log max tr ujab 

luab£S(AB) L 



PAB UA ® cr B 1/2 J pAB (Ia ® cr^ 2 



(iU ® cr B 1/2 ^) PAB (lA ® 0" fl 1/2 



= -H r min(A|B) p | c 



(A6) 

(A7) 
(A8) 
(A9) 

□ 



Finally, we also need a relation between the standard min-entropy, and the alternative definition from above. 
Lemma A. 2. JEB Lemma 18] Let e' > 0, e' > 0, and pab € S(AB). Then 



H^(A\B) p - log 



1 

1 -e 



(A10) 



2. Chain Rules 

The smooth conditional min- and max-entropy fulfill a duality relation. 

Lemma A. 3. \8$ Let pab € S(AB), e > 0, and pabc be an arbitrary purification of pab- Then 

H^(A\B) p = -H^ m (A\C) p . (All) 

The following shows that the min-entropy can not increase too much by a measurement on the first system. 

I x I 

Lemma A. 4. Let pab G S{AB), e > 0, and \Px} x =i ^ e a projective rank-one measurement on A. Then 

H^ ia (X\B) p < H* nin (A\B) p + log \X\ . (A12) 

Proof. Let Va-^-xx' be an isometric purification of {P x } and pxx'BB' a purification of pxx'B = VpabV^. By the 
invariance of the min-entropy under local isometries |84[ Lemma 13] and the duality between the min- and max-entropy 
(Lemma A.3), the proposition becomes equivalent to 



H^(XX'\B') P < H s max {X\X'B') p + log \X\ 
For pxx'B' £ B 6 (pxx'B') and <jx>b> € S(X'B') such that 

H^ ax (X\X'B') p = \ogF{pxx'Bjx®6-x>B>? 
as well as pxx'B' € B e {pxx'B') and ob € S(B) such that 

H^ ax {XX'\B') p = log F(pxx>B,lxx' ® SB') 2 



the claim follows by the definition of the max-entropy (Equation (A3|-(A4|) together with the observation 



Hl^{XX'\B') p < log ( \X\ ■ F{pxx>B>Jx <8 <8 ^j" ) < log F(p X x>B-, lx ® ^x'S') 2 + log |A| 



(A13) 
(A14) 
(A15) 

(A16) 

□ 
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3. Asymptotic behavior 

The von Neumann entropy can be seen as a special case of the smooth min-entropy. The underlying technical 
statement that makes this precise, is the asymptotic equipartition property (AEP) for the smooth conditional min- 
entropy. 



Lemma A.5. JEM Remark 10] Let p AB € S(AB), e > 0, and n > 2 (1 - e 2 ) . Th 



en. 



1 VI -2 log £ (2 + ^ 

-H e min (A\B) p ^ lp ^ > H{A\B) P ^ -—L . (A17) 



Appendix B: Technical Lemmata 



Throughout, we will need a number of technical results and definitions, summarized here for convenience. In 
the following we state all results in our own notation and only as general as we need them (which may result in 
a simplification compared to the given references). We start with a general decoupling result about exact unitary 
2-designs. 

Lemma B.l. \3S\ Theorem 3.7] Let A — A1A2, and consider the map Ta-^Ax o,s defined in Equation Q. Then, if 
{U\, • . • , Ul\ defines an exact unitary 2-design (Definition III. 3\f , we have for S > 0, 



1 L 



Ta^A x (UiPAEUj) - t-^t <8> p E 



The full set of MUBs generates a complex projective 2-design. 
Lemma B.2. /5^/ Let {U±, . . ., Uui+i} define a full set of mutually unbiased bases of A. Then 

1 \A\ + 1 



2n sym 



\A\(\A\+iy 



(Bl) 



(B2) 



U|(U| + 1) ^ < 

where n sym is the projector onto the symmetric subspace spanned by the vectors \aa!) + \a'a) for a, a' € [A] . 

The following well known 'swap trick' is used to prove decoupling statements. 
Lemma B.3. Let M, N £ C(A). Then, 

tr[MN] = tr[(M ® N)F], (B3) 
where F = ~^2 aa i \aa')(a'a\ is the swap operator. 

The following is called operator Chernoff bound. 
Lemma B.4. J3[ Theorem 19] Let X\, . . . , Xl be iid random variables and < X t < I, E {X t } = T > al. Then 

Lrfa 



Pr j-^Xi < (1 + Tj)r| >l-d 



exp 



2 In 2 



(B4) 



Appendix C: Proofs of QC-Extractors 



In this section, we provide the full proofs of our claims regarding QC-extractors. In the proofs we need the Hilbert- 
Schmidt norm, given by \\p\\2 = \/tr [p^ p]- 

Theorem III. 5, Let A = A1A2 with n = log |j4| and Ta-+A\ be the measurement map defined in Equation Q. Let 
e > 0, c be a sufficiently large constant, and 



log I Ai I < n + k - 4 log(l/e) - c 



well 



logL > log I Ai| + logn + 41og(l/e) + c . 



(CI) 



Then, choosing L unitaries {U\, ■ . ■ , Ul} independently according to the Haar measure defines a [k,e)-QC- extractor 
with high probability (see Equation (C20) for a precise bound). 
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Proof. We use one-shot decoupling techniques as developed in [TQl [321 E31 IS01 IHI] ■ Let U be a unitary on A. Using 
the Hoelder-type inequality (see e.g. [15]) 



ll^7lli<IIKIli 



n|i/Hii^||i/s||| 7 |*||i/* 



(C2) 



with r = t = 4, a = 2, and a = 7 = ® p^) 1 / 4 , £ = ® p^-V* (r(Up AE W) ~^®Pe) (l Al ® Ps)^ 4 , 
get that 16 



we 



T(U P aeU*) - 

l A il 



< lAijV^/tr (i Al ® p B r 1/4 (V^p^c/t) - ^ ® P£ j ® P£ )- 1/4 



® Ps)" 1/4 (r {Up AE Ul) ^ ® p £ ) 



Pi?) 



-1/4 



(C3) 
(C4) 

(C5) 



where = (Ia ® P_e) 1 ^ 4 Pae(^a ® Pb) 1 ^ 4 - Together with the concavity of the square root function, this implies 

I 2 

Pb S * 7 > 7 1 u lPAE u; 1 - r— l ® p B (C6) 



~£ T(u iPAE u\ 



l^i 



1 \ i=l 



Mi 




\ 



1 - 

\aa\y. 



tr 



i=l 



We continue with 



1 L 



tr 



T [U iPAE Uj] -r-r^^PE 



1 

L 



^tr[r(l^ s [/t)] Z _2tr T(u iPAE U}) (j^®PE 



tr 



\Ai\ 



Pe 



and first compute the cross term 



tr 



> Pe 



1 

1 

1^1 



tr 



T^paeU}) {1 Ai ®~ Pe ) 



tr [Pe] 



Going back to Equation (CIO), wc obtain 

L 



T{u iPAE u} 



l^il 



1 AE 



2 , L 

= L 



(C7) 
(C8) 



(C9) 
(CIO) 

(Cll) 
(C12) 



^J2tv[r{u iPAE Uj)] 2 - pjtr[p|] . (C13) 



The inverses are generalized inverses. 
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We now compute the first term using the 'swap trick' (Lemma B.3) 
tr [T(U paeU^)] 2 =tr 



'^2(a 1 a 2 \UpAEU' t \a 1 a2)\ai)( 



tr 



EE' i 



^oao'^l^pSKOVi^ai^loioiXoioil (^a; ® ^ 
= X) tr [pH(^ 2 ) t |aia2a'ia2)(aiail (^AJ ® loiaiX*!^*!*^ 



(C14) 

(C15) 
(C16) 



Taking the average over the set {Ui, . . . , UzJ, we get 



it"! 7 



UiPAEU ri 



= E tr 



=®2 



^E{(^f 2 ) f loi^oiaiXoioilF^AiloxaiXoxOaai^lC^ 2 } 

i=l 

(C17) 



tr 



(C18) 



Using for example |33l Lemma 3.4], if £/ is distributed according to the Haar measure on the group of unitaries acting 
on A, then 



f \A\\A2\-l 



\A\-\A 2 \ 

AA> + I .in AA' = 1 AA< 

\ A \ ~ 1 



E[/ < (J7 t ) ^2 \aia2axa2) (a 1 a 2 a 1 a' 2 \U' i 
Now we note that M^Tg^rp 1 > 2IA7T ' an< ^ a PP^ an °P era tor Chernoff bound (Lemma 

Pr |^E(^) 02 E kxaaOi^Xoiaaa^lt^^a + ^rl > 1 - L4| exp (-^ ? 



(C19) 



B.4) to get 



4 In 2 



(C20) 



This shows that if L > 2 • 4 In 2 • |AiJ log |A|/ry 2 , the unitaries U\, . . . , Ui, satisfy the above operator inequality with 
high probability. In the rest of the proof, we show that such unitaries dehne QC-extractors. Putting these unitaries 
in Equation (C18l, we get 



ll^ tT [ r { U *Pae{ Ui) 'JJ <(l + ry) ^ [Ap^i tr ^ + [A |2 _ j tr [PaeJ 



(C21) 



Plugging this expression in Equation (C13) and then in Equation (C8), we get 

L 



is 



T U lPAE {Ui) 



Pe 



- \l (1 + v) { iV-i / tr [ ^ ] + (1 + ^ v iV-i J tr " tr 



41ll4-4 



\A\- 



since tr \p%\ = tr 



tr^ 



Ua ® Pij 1/4 ) PAS UU ® 



(C22) 
(C23) 



tr [/9_e] = 1. By the definition of the conditional collision 



entropy (Equation (All) and Lemma A.l it follows that, 



, l 

Z E t(u xPA e(uJ 
i=l 



N_lA L( 




> \Ax\ 


S> Pe 



< l/77 + (l + T?) 



4l| 



14 + 1 



2 --W2(A|£) p | p 



<^+(1 + ?? )^ t 2-^.»(^)h p . 



(C24) 
(C25) 
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Now let p' AE £ B S+S '( PAE ) be such that H^[£' {A\E) p{p = ff n » Il (4.E)pV. Since we have \\p' AE - p AE \\ x < 2(8 + 6') 
(by Equation ( |11[ )), we know that by the (reverse) triangle inequality and the monotonicity of the trace distance, 



\\T(U PAE tf) - ^- ® p E \\i - \\T(Up' AE tf) ® H|i 



<l|r(^^^t)-r(^i/t)||i 

< IIPas-P^IIi < 2(5 + 5') , 



and hence applying ( C25 ) to p' AB , we get 



1 L 

7E 



t[u iPAE (tr^J-pgr®^ 



- V " + (1 + ^pTI 2 "^' (A ' £)plP + 2(<5 + 5 ' } ' 



We then use Lemma A. 2 about the equivalence of the different conditional min-entropies to get 

L 



is 



Idl_ 
4l| 



i < X+0 + jij^2-^i»(^),+* + 2(5 + 5') , 



(C26) 
(C27) 

(C28) 
(C29) 



T[u lPAE (u t y 

i=l 

with z = log(2/5' 2 + 1/(1 - 6)). Setting rj = e 2 /4, 8 = 0, 5' = e/4, and assuming log \Ai\ < n + k — 41og(l/e) — c with 
fc = H min (A\E) p , we get for large enough c 



+ (1 + t?) - 2- g min(A|i;) p + z + < e /2 + ^/e 2 ^ + 2 ■ 2 fc - 41 °g( 1 /£)-e-fc+i°g(s/e 2 +i) 

< e/2 + v/e 2 /4 + e 2 • 2!- c + 4 < e . 



(C30) 

(C31) 
□ 



Theorem III.8 



Let A = A\Ai with n — log|j4|, |^4| a prime power, and consider the map T A -+ Al as defined ir. 



Equation ([7j) . Then, if {U\, . . . , f7|^i|+i} defines a full set of mutually unbiased bases, we have for 5 > 0, 
\A\+x 



1 1 
W\\AU 



T E E 



r A ^ M [PUiPAE (PUi 



\M 



Pe 



~ V l4 + i 



(C32) 



where V is a set of pair-wise independent permutation matrices. In particular, the set {PUi : P £ V,i £ [\A\ + 1]} 
defines a (k, e)-QC- extractor provided 



log | Ai| < n + k- 21og(l/e) 



(C33) 



and the number of unitaries is 



L = (\A\ + 1)\V\ = (\A\ + 1)\A\(\A\-1) . (C34) 

Proof. Let a E £ S(E). Similarly as in the proof of Theorem |HI.5| but with the difference that now p AE — 
(I A ® er E y 1/4: p AB (1 A ® o- E y 1/4 , we get 



1 1 



\A\+1 



iE E 



T[PU iPAE (PU^ - 1 -j^®Pe 



T{PU iPAE (FUrf) ~j^®PE 



< 



\ 



M E tr pll E P,i{(^ t ) 8 %i«2ai^)<aia 2 ai^|(P[/0® 2 )®^E 



tr [/>! 



(C35) 
(C36) 



We handle the case a 2 = a 2 and the case a 2 7^ a' 2 differently. When a 2 = a' 2 , we have (£/|)® 2 |aa) (aa|£/® 2 = 

(^i l a )( a l^i)® 2 i where a = P _1 (aia 2 ). As {J7i, ■ • • > U\a \+i} form a full set of mutually unbiased bases, the vectors 
{Ui\a}}i^ a define a complex projective 2-design (Lemma B.2), and we get 

Bp^{ulP^y j2 \a 1 a 2 a ia ' 2 )( ai a 2ai a' 2 \(PUf 2 ^ = ^ E, | ([//) ^ |aa) (aa|(7f 2 | (C37) 



aia2,a 2 — 02 



= 14 



2irj™ _ W + ^ 



(14 + 1)14 14 + 1 



(C38) 
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We now consider et 2 ^ a' 2 and use the fact that the permutations are chosen to be pairwise independent. Similar 
techniques were used in the context of decoupling in [80 . We have 



E 



P {(P^f 2 \a 1 a 2 a 1 a / 2 )(a 1 a 2 a 1 a / 2 \P (g ' 2 } = E P {| J p- 1 (aia 2 ))<^- 1 (aia 2 )| ® |p- 1 (a 1 a 2 ))(p- 1 (a 1 a 2 )|} (C39) 

= Pr P { p_1 ( a i«2) = a,P _1 (aia 2 ) = a'} \a)(a\ <g> |a')(a'| (C40) 



\A\(\A\ 



\A\(\A\-l) \A\(\A\-1) 



lr7Y)Y,\ aa ^ c 



(C41) 
(C42) 



Going back to Equation ( C38 ) , we get together with Equation ( C42 ) that for any a 2 ^ a' 2 , 



E 



(Uj) (P^f 2 | ai a 2 a ia2 )(a lfl2ai a 2 |P» 2 C/f 



\A\(\A\-l) \A\(\A\ 

^AA' ^AA> + FaA' 



(g>2 



|aa) (aa |E/f 



L4|(|A|-1) L4|(L4|-1)(L4| + 1) 
\A\I AA . - F AA , 
\A\(\A\*-l) ■ 



This being true for all ai,a 2 ,a' 2 , it follows with Equation (C36) that, 



|Ai|tr 
1^1 



~<g>2 / + Paa' 



14 + 1 

r , |A|(|A 2 |-1) 



+ H(|A 2 |-1) 



|A| W - F AA > 



\A\ + 1 \A\ 2 -l 



\A\{\A\*-1) 
tr [p% {l AA ,®F EE ,)]+\A 



Fkk> 



(C43) 
(C44) 

(C45) 



(C46) 
(C47) 



1 



IAol-1 



(C48) 



\A\-\A 2 \ 
\A?-l 



^[p AE ] - tr 



I^l 2 -I^i| 



1 tr[p|] 



Ai\\A\-\A\ 
\A\*-\ 



^[Pae\ < 



\A\ + l 



_ 2 -H 2 (A\E) p 



(C49) 
(C50) 



where we used the definition of the conditional collision entropy (Equation (All) in the last step. Now, by choosing 
<je appropriately, and an analogue argumentation as at the very end of the proof of Theorem III.5| we conclude that, 
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2- h L,M\e) p + 2S 
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□ 



Theorem 



III.9 



Let A = AiA 2 with \A\ = d n : \A±\ = cft n , \A 2 \ = d*- 1 ^' n , and d a prime power. Consider the map 



Ta-^Ax as defined in Equation Then for S > and 5' > 

!wE E TA^A^PVpAEiPV)' 



1 1 

W\(d+1) 
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' Pe 



< W2( 1 - 1 °g( d + 1 )+? lo g d )«(l + 2- H LA A \ E )p+ z ) + 2(5 + 5') 
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where Vd.n is defined as above, V is a set of pair-wise independent permutation matrices, and z = log (^jh + j^rj 
In particular, the set {PV : P G V . V G Vdn} is a (fc, e)-extractor provided 



log I A x I < (log(d+l)-l)rc + min{0,fc}-41og(l/e)-7 



and the number of unitaries is 



L={d+l) n d n {d n -I) 



(C54) 



(C55) 



Proof. We use the same strategy as in the proofs of Theorem |III.5| and Theorem III. 8 here again with pae 
(I a ® Pe)~ 1/4 Pae (Ia ® Pb) _1/4 - We get 
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As {Vo, . . . , Vd} form a maximal set of mutually unbiased bases in dimension d, and with this form a complex projective 
2-design (Lemma B.2|, we have 



(V f \a)(a\vf =2n s ^ m . 

ae{o,...,d},vev d . 1 

Furthermore (rnj" 1 )®™ < n^™„ for any quantum system B, and hence we obtain 

\ m 



(C58) 



(d + 1)" 



Together with Equation (|C56|) and Equation (|C57|), we get 

Epy 
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(C60) 
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+ ^ (^j) ") tr [p% (Iaa- 9 Fee')] + ^ (^) " tr [p% (F AA , - tr \p 



(C62) 



< ^(1 + 2(i-i°g(^+i)+ei°g^)») tr [tr AA , [p% (1 A a> ® i^)]] + 2( 1 - 1 °s( rf + 1 )+« lo s rf )« tr[p A£ ] - tr [p|] (C63) 
= ^(i-iogt^+D+C logd)™ tr [^|] + 2 (i-iog(d+i)+« log d)„ tr jjjaTj ( C64 ) 

= y / 2( 1 - 1 °g( d + 1 )+« 1 °s d )» (l + 2~- ff2(j4|is) pip) , (C65) 



where we used the definition of the conditional collision entropy (Equation ( Al )) in the last step. Now, by an analogue 
argumentation as at the very end of the proof of Theorem III.5| we conclude that, 



E 



p.v 



T ( PV pae (PV?) - ^® Pe 



< yV-^+iH^g^l + 2- H Ln( A \E) P +z) + 2(5 + 5') . (C66) 
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Setting 5 = and 5' = e/4, we conclude that the set {PV : P G V, V G Vd.n} is a (k, e)-QC-extractor provided 



log \A x \=n • £ logd < (log(d + 1) - l)n - log(l + 2- fe + lo s( 8 / £2+1 )) + log((e/2) 2 ) 

< (log(d+l)-l)n + min{0,/c-log(8/e 2 + l)} - 1 - 21og(l/e) 

< (log(d + 1) - l)n + min {0, k} - 41og(l/e) - 7. 



(C67) 
(C68) 
(C69) 

□ 



Note that step ( C61[ ) is indeed striking when we consider the case of trivial side information. Effectively, one of 
the terms we wish to bound then is tr [p® 2 M] where M is given by the l.h.s. of (C59|. This, however, is exactly 
what one bounds when proving entropic uncertainty relations for MUBs [6 , or more generally anti-commuting mea- 
surements [92 . And indeed, in the case with quantum side information, our techniques also allow to directly derive 
entropic uncertainty relations with quantum side information in terms of the quantum conditional collision entropy 
(as defined in Equation (All) using the fact that MUBs form a complex projective 2-design. However, we are more 



interested in relations in terms of the min-entropy (see Section IV). On the other hand, it is an interesting question 
whether the techniques from [92] can be extended to give a better bound than the (probably too general) eigenvalue 
bound of dC59l). 



Appendix D: Proofs of Uncertainty Relations 

In this section, we provide the full proofs regarding our claims of entropic uncertainty relations. 



Proposition IV. 4, Let d > 2 be a prime power, and {Vo, V%, . . . , Vd] define a complete set of MUBs ofC d . Consider 
the set of measurements {M J A ^ K : j G [(d + 1)™]} on the n audit space A defined by the unitary transformations 
{V = V Ul (g> ■ ■ ■ (g> V Un \ui e {0, . . . , d}}. Then for all p AE G S(AE), we have 

, (d+ir 

J2 H (K\E) p] > n- (\og(d+l)-l)+ mm {0, H (A\E) p } , (Dl) 



(d 



where p 3 = M\_ ¥K (p) 



Proof. Using the QC-extractor for the single-qudit MUB case as discussed in Section |IIIC| we get with the same 
reasoning as before that for e > 0, 5 > 0, 

\ ]T H(K\E) pj > (1 - e) (n (log(d + !)-!)- log (l + 2~^ A ^) - log [ {£ _\ s)2 ) ) - ^{e) 



3 = 1 

> 



(1 - s) (n (log(d +!)-!) + min {0, H 5 min (A\E) p]p } - 1 - log ( _ X J) - 2h(e) . (D2) 



Here we use a version with H^^A^) p \ p instead of Hf nin (A\E) p , but this is immediate from the proof of Theorem III. 9 
Evaluating Equation (D2) on the m-fold tensor product of the original input system d n , and multiplying both sides 
with 1/m, we obtain 



l -Y,H(K\E) pj > (1-e) ^n(log(d+l)-l)+niin|o j ifZ5 lin (A|£0 P »»|p«-.}) (D3) 
> (1 - e) I n (log(d + !)-!) + min J 0, H(A\E) p - 4 V1 ~ 2 log ^ (2 ^1) 1 \ ^ 



'^l-losf^^V^. (DC) 



m \ \ (e — 25) 

Here we used the fully quantum asymptotic equipartition property for the smooth conditional min-entropy 
(Lemma A. 5 ). By first letting m — > oo and then e — > 0, we arrive at the claim. □ 
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Appendix E: Definition Weak String Erasure 

For convenience sake, we here provide a formal definition of weak string erasure |58j for p ^ 1/2 as given in |63) . 
where we restrict to qubits (d = 2). The definition is stated in terms of ideal states, akin to an ideal functionality 
in classical cryptography. In the proof of security against dishonest Bob, we simply show that Bob's e-smooth min- 
entropy is high. However, by (111 this implies that Bob's real state is e-close to an ideal state of high min-entropy 
in trace distance. Note that for cryptographic purposes, we will specify distances in term of the trace distance, since 
this is the relevant distance that determines how well the real protocol can be distingiushed from the ideal state [IS] . 

In the definition below, we will need to talk about distributions over subsets IC [n], where each element of [n] has 
probability p of being in 1. Clearly, the probability that Bob learns a particular subset I satisfies 

Pr(I) =pl z l(l -p) n -W (El) 

Note that we can write the subset X as a string (yi, . . . , y n ) G {0, 1}™ where y, = 1 if and only if i € I, allowing us 
to identify \I) = \yi) <g> . . . <g> \y n )- The probability distribution over subsets I C [n] can then be expressed as (see 
also [55] ) 

*(?)= E P lXl (l-p) n - m \Z)(Z\ ■ (E2) 

IC2W 



Furthermore, we will follow the notation of [58] and use 



TS = \S, 

1 1 ses 



^El s >< s l' (E3) 



to denote the uniform distribution over a set S. 



Definition E.l (Non-uniform WSE). An (n, A, e,p)-weak string erasure scheme is a protocol between A and B 
satisfying the following properties: 

Correctness: If both parties are honest, then there exists an ideal state o~x n xx x such that 

1. The joint distribution of the n-bit string X n and subset X is given by 

ox»z = r {0 ,i}n ® *(p) , (E4) 

2. The joint state pab created by the real protocol is equal to the ideal state: pab = o~x n ix-z where we identify 
(A, B) with (X n ,lX x ). 

Security for Alice: If A is honest, then there exists an ideal state o~x n B' such that 

1. The amount of information B' gives Bob about X n is limited: 

1 H min (X n \B') a > X (E5) 
n 

2. The joint state Pab' created by the real protocol is e-close to the ideal state in trace distance, where we identify 
(X n ,B') with (A, B 1 ). 

Security for Bob: If B is honest, then there exists an ideal state <J A'X n x where X n e {0, 1}" and T C [n] such 
that 

1. The random variable I is independent of A' X n and distributed over 2^ according to the probability distribution 
given by (El ); 



A'X n I — A'X'' 



<g> *(p) . (E6) 



2. The joint state pA'B created by the real protocol is equal to the ideal state: pa'b — a A'(xx x )> where we identify 
{A',B) with (A',XX X ). 
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